Fwd: re-writing college books - erm.. ahm...

[Greg.Beeley at LightSys.org (Greg Beeley)]

Hi all,

I've been watching this discussion with interest, as I've taught a
undergrad-level course a couple of times that focuses on infosec
with a concentration in software security.  Yes, _Secure Coding_
was one of the books we used :)

A few observations from my experience so far:

   - Sure, we can teach "don't overflow the buffer" in lower division
     undergrad courses, but many students won't understand the
     reasons why this results in an exploitable condition, since those
     reasons require understanding concepts that are not normally taught
     until the upper division of undergrad CS.

   - I think we need to not only give the students the right *tools*
     to code securely, but also the right *mindset*.  It is harder
     to teach the "mindset" in the earlier courses.

   - As for a specialized course on software security, it can be
     tricky working it into the undergrad CS curriculum.  When I've
     taught this material, I could not assume (for instance) a
     certain degree of student knowledge about computer architecture
     and the way the call stack works.  I had to explain that stuff
     just to be able to explain how a buffer overflow works, for instance.

   - We can teach, "be more secure, use Java/C#/etc instead of C",
     and that is good, but remember that these students are going
     out into the real workforce and will use the language(s)
     chosen by their employers (or already in place on an existing
     product line).  I do believe that students still need to know
     how to use C/C++ responsibly.  Otherwise, they may very well
     be ill-prepared for the real world :)

   - As for vocational vs. academic, I think there's a lot of room
     for software security in each.  At the academic level, you
     spend more time explaining the underlying concepts.  For
     example, teaching why having a call stack share data and program
     flow control constructs tends to cause trouble (when no enforcement
     of the bounds of data and control is performed).  Vocational
     teaching is much more hands-on and tools oriented.  At the
     academic level, you want your students to be able to take the
     knowledge and apply it in new and creative ways, not just learn
     a tool or a technique.

   - Many universities want to teach in the academic world the kind
     of knowledge that will give their students a definite edge when
     they go into private industry.  If potential employers (or
     graduate programs, etc.) look favorably on some "software security"
     experience, we will probably see more of it taught and/or
     integrated into existing coursework.

   - I found Corewars to be an interesting tool for starting to
     exercise that "defensive coding" muscle.  It gets students used
     to assuming that their program will be abused and misused,
     among other things :)

Greg.

----------------------------------------------------------------
Greg Beeley, President & Co-Founder     Greg.Beeley at LightSys.org
LightSys Technology Services, Inc.      http://www.LightSys.org/
----------------------------------------------------------------