Where Does Secure Coding Belong In the Curriculum?

[floodeen at gmail.com (Rob Floodeen)]

Gary wrote:
"He and I discuss the notion of education versus training at length"

And I don't want to bring up the discussion of the difference, however
it does get me to think.

In CS, we do a lot of Math, but programming is not like Math.  Math is
easy to verify if it is done correctly. But in programing what does
correctly mean?

So it has to be taught and incorporated in it's own way.

I think a way ahead should consider the following:
  1. the instructional staff reads all the code, all the time  (But
think of how long this would take)
  2. a formal method for deducting points from a properly working but
incorrectly constructed program (a "Show your work" secure coding
equivalent)
  3. a capability to verify and reinforce good practices consistently
and continually

Of course we can teach a class on best practices, things not to do,
etc. etc.  But how do we continually reinforce it throughout a
curriculum or even a career?

-Rob Floodeen




On Thu, Aug 20, 2009 at 2:55 PM, Gary McGraw<gem at cigital.com> wrote:
> hi neil,
>
> For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of 
> "Software Security" <http://swsec.com>. ?Remember, this list was created in 2006, and lots of other universities have 
> jumped on the bandwagon since then.
>
> * University of California at Davis
> * University of Virginia
> * Johns Hopkins University
> * Princeton University
> * Purdue University (especially the CERIAS center)
> * Rice University
> * University of California at Berkeley
> * Stanford University
> * Naval Postgraduate School (a military school for graduates)
> * University of Idaho
> * Iowa State University
> * George Washington University
> * United States Military Academy at West Point
>
> Matt Bishop made some excellent points in this thread. ?He and I discuss the notion of education versus training at 
> length in Silver Bullet episode 31 <http://www.cigital.com/silverbullet/show-031/> part of which was transcribed here 
> <http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf>.
>
> gem
>
> company www.cigital.com
> book www.swsec.com
>
>
> On 8/19/09 5:15 PM, "Neil Matatall" <nmatatal at uci.edu> wrote:
>
> Inspired by the "What is the size of this list?" discussion, I decided I won't be a lurker :)
>
> A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html 
> </redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtml&urlhash=c5OA&_t=disc_detail_link>
>  and the OWASP podcast mentions
>
> So where does secure coding belong in the curriculum?
>
> Higher Ed? ?High School?
>
> Undergrad? Grad? Extension?
>
> I started a discussion in the Educause group on linked in. ?I guess it requires authentication and possibly group 
> membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=138011&discussionID=5737656
>
> It looks like some Universities are offering courses now...
>
> Neil
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________