Where Does Secure Coding Belong In the Curriculum?

[gem at cigital.com (Gary McGraw)]

hi neil,

For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of 
"Software Security" <http://swsec.com>.  Remember, this list was created in 2006, and lots of other universities have 
jumped on the bandwagon since then.

* University of California at Davis
* University of Virginia
* Johns Hopkins University
* Princeton University
* Purdue University (especially the CERIAS center)
* Rice University
* University of California at Berkeley
* Stanford University
* Naval Postgraduate School (a military school for graduates)
* University of Idaho
* Iowa State University
* George Washington University
* United States Military Academy at West Point

Matt Bishop made some excellent points in this thread.  He and I discuss the notion of education versus training at 
length in Silver Bullet episode 31 <http://www.cigital.com/silverbullet/show-031/> part of which was transcribed here 
<http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf>.

gem

company www.cigital.com
book www.swsec.com


On 8/19/09 5:15 PM, "Neil Matatall" <nmatatal at uci.edu> wrote:

Inspired by the "What is the size of this list?" discussion, I decided I won't be a lurker :)

A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html 
</redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtml&urlhash=c5OA&_t=disc_detail_link>
 and the OWASP podcast mentions

So where does secure coding belong in the curriculum?

Higher Ed?  High School?

Undergrad? Grad? Extension?

I started a discussion in the Educause group on linked in.  I guess it requires authentication and possibly group 
membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=138011&discussionID=5737656

It looks like some Universities are offering courses now...

Neil