Secure Coding mailing list archives
Fwd: re-writing college books - erm.. ahm...
From: bishop at cs.ucdavis.edu (Matt Bishop)
Date: Tue, 7 Nov 2006 09:56:42 -0800
Folks, A comment based on an idea we tried here.
Well, I never recieved any replies here on what's already being done.. so now, I am asking for ideas on how we can approach schools. What's needed, in order for basic CS classes to have a security orientation?
Ideally, I agree with the sentiment but would quarrel with the wording :-). On a practical level, I think this is very unlikely to happen. For example, one problem is those classes are already overloaded with how to program *plus* language stuff. You can only do so much in 10 or 15 weeks (depending on whether you're on the quarter or semester system). An alternative to focusing on the introductory classes is to provide support for programming throughout the curriculum. But the big problem is overloaded classes--we try to teach too much material now. Telling an algorithms instructor she also needs to teach some security will fail on at least two counts: (1) "How do I teach the required course material *plus* security?" (2) "How do I learn enough about security to know what to teach and how to teach it? And where do I find the time to learn this?" So I don't think adding more material to existing classes will work. So let's take a page from English departments and/or law schools. Both have writing clinics--they are separate from classes, and provide reviews of written papers before those papers are turned in. The ones I'm familiar with do *not* address content, but they *do* address mechanics (grammar, punctuation, etc.) and expression--does the writing make sense, is it well organized, and so forth. Why not establish something similar for programming? You could work this in a number of ways. The one we've tried here was to require the students to write the program and then meet with someone working in the clinic. The clinician went through the program with the student, pointed out potential problems and bad programming practices, and (when appropriate) security issues. No grading occurred, but the student could rewrite the program to fix the problems pointed out (and others that the student found--the clinician did not try to find all the problems, just enough to show the student what types of problems were there). We did some very informal testing, and the results were promising. If anyone's interested, we did a write-up of it; see: http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/ I need to emphasize the results are informal because we weren't educational metricians. Our next step (assuming we can get the funding) will be to devise formal metrics and do some more rigorous measurements to see how well the clinic works. The interesting point about the clinic is that it appeared to be effective at both introductory and upper division levels, provided the students used it. It also would provide reinforcement throughout the student's undergraduate education, and give the student more of a chance to absorb good programming practices than do one or two classes that focus on those aspects of programming. Just a thought .... Matt ================================== Matt Bishop Department of Computer Science University of California at Davis One Shields Ave. Davis, CA 95616-8562 United States of America phone: +1 530 752 8060 fax: +1 530 752 4767 web: http://seclab.cs.ucdavis.edu/~bishop
Current thread:
- Fwd: re-writing college books - erm.. ahm... Julie J.C.H. Ryan (Nov 06)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Matt Bishop (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Greg Beeley (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Matt Bishop (Nov 07)
- Fwd: re-writing college books - erm.. ahm... James Walden (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Robin Sheat (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)