Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Where Does Secure Coding Belong In the Curriculum?

From: list-spam at secureconsulting.net (Benjamin Tomhave)
Date: Mon, 24 Aug 2009 17:35:35 -0700
Two quick comments in catching up on the thread...

First, security in the software development concept is at least an
intermediate concept, if not advanced. Riffing on Brad's comments, it
seems irrational to think that you can jump straight from structural
basics with which many students struggle (OO anybody?) directly to
concepts that bridge computer architecture, code structure, and various
other problems.

Second, as long as "the right way" is not the same as "the easy way"
then there will always be a disconnect. Perhaps this means that the
language itself needs to require strong type checking that enforce
appropriate secure coding behavior? Or maybe this is even enforced at
the compiler level? (there have, of course, been problems with
compilers, too, particularly in optimization mode)

cheers,

-ben

Brad Andrews wrote:


But we are not talking about separate classes.  The assertion (which I
probably clipped, sorry) was that it should be woven into the
curriculum.  I was noting where and how to do so, starting in the intro
level classes.  Just telling a starting programmer to properly check
input length is all well and good, but falls far short of making a
secure programmer.

I have no doubt that you can teach some new developers the principles in
a short time and make them more productive than those who have been
programming longer term.  They don't have to unlearn anything!  But this
will not work for everyone.  Some will sit through a class with glazed
eyes and no understanding.

Also remember we will have to get outside those with a fairly high level
of motivation (internal or external) for learning the material to be
successful.

I also would like to see how you would teach secure development, with
minimal extra time load, in a basic programming sequence, possibly even
at a non-traditional or lower tier school.  We won't make significant
progress until we can do that, and it still leaves out the "self taught."



-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
Moore's Law: "The number of transistors on an integrated circuit will
double in about 18 months."
http://globalnerdy.com/2007/07/18/laws-of-software-development/
Previous By Date Next
Previous By Thread Next

Current thread: