Secure Coding mailing list archives

Where Does Secure Coding Belong In the Curriculum?

From: steingra at gmail.com (Andy Steingruebl)
Date: Fri, 21 Aug 2009 08:23:16 -0700

On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatall<nmatatal at uci.edu> wrote:

Inspired by the "What is the size of this list?" discussion, I decided I
won't be a lurker :)

A question prompted by
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
and the OWASP podcast mentions

So where does secure coding belong in the curriculum?

Higher Ed?? High School?

Undergrad? Grad? Extension?


Does it help at all to consider how and where most people actually
learn to program/develop?  I don't have percentages handy of how many
people with a job title or informal role as "programmer" or
"developer" actually took any formal education in this.  If we're just
trying to reach the group of developers that went through formal
training then we've seen some pretty good answers here in this thread
already. If we want to cover others though, we need to look elsewhere.

Let's look at another few fields where safety is important and yet the
work is often done by both professionals and amateurs - Plumbing
and/or Electrical Work.  My own view is that much software development
is actually a lot closer to the work of the amateur electrician than
the professional electrician.   That is, unlike fields like engineer,
architect, lawyer, accountant, we don't rely on professional
standards, degrees, certifications, etc. for most programmers.  I'm
leaving aside for a moment whether we can or should, and just pointing
out that it is the case.

In the case of the amateur electrician you'll find a wide variety in
their knowledge of safety concerns, adherence to code, etc.  They
probably know enough to not electrocute themselves while they are
working (though not always) but don't necessarily know enough to put
in wiring that won't burn their house down in a few years.

I think our real question isn't just how to reach the "professional"
programmer trained via formal training programs, but also how to reach
the "amateur" programmer trained via books, trial+error, etc.

In these cases the best bet is to make sure that the general training
manuals, how-to guides, etc. have a lot of safety/security information
included in them.  That the books people use to learn actually show
them safe examples, etc.  Obviously there are variations of code
requirements per location and such, but basic safety rules will
probably be mostly universal.

- Andy

Current thread:

Where Does Secure Coding Belong In the Curriculum?, (continued)
- - - Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 27)
    - Message not available
    - Where Does Secure Coding Belong In the Curriculum? Olin Sibert (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Kenneth Van Wyk (Aug 26)
    - Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
    - Where Does Secure Coding Belong In the Curriculum? Matt Bishop (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Matt Bishop (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 26)
    - Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Andy Steingruebl (Aug 21)
  - Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Bennett, Jason (Aug 26)