Secure Coding mailing list archives
Re: Strategies for teaching secure coding practices
From: "Jared W. Robinson" <jwr () xmission com>
Date: Sat, 13 Dec 2003 04:18:25 +0000
On Fri, Dec 12, 2003 at 10:05:49AM -0500, Carl G. Alphonce wrote:
... I am very interested to hear from the list what you all consider to be important "secure coding" topics to cover in these first-year classes. Also, what topics to you feel should be covered in an undergraduate curriculum but later than the first year?
I find that anecdotal stories are important to emphasize the importance of secure coding practices. You could say something like "Who remembers the Blaster, Welchia or SoBig worms? They are estimated to have caused X million dollars in damage. The worms exploited a buffer overflow, which is what we're going to talk about today...." It's also important to teach studends some basic risk assessment. For example, What is the risk of shipping the product with buffer overflow bugs? How will the product be used and in what environment? What kinds of security requirements does the customer have? Remember that security is not usually the goal of building software. Building a tool that helps people solve problems (usually so that you can make a profit) is the goal. Unfortunately, there are security threats that will make the tool unable to deliver value, so developers have to plan countermeasures that will mitigate those threats in a cost-effective manner. Not all countermeasures are worth the cost they take to implement. Some countermeasures introduce other risks. If people focus too much on security, they may never deliver a product that can make enough money to fund continued development. Not only that, but software is never completely "secure". It can only be "secure enough" for a certain set of conditions. Risk assessment can help define "secure enough". - Jared Robinson -- "It's a well known technology truism that [not] all of the smart people work for you, and that one of the surest ways to success is to get more ideas and more work out of people outside your own fences." - Tim O'Reilly
Current thread:
- Re: Strategies for teaching secure coding practices, (continued)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
- Re: Strategies for teaching secure coding practices Andrew Gray (Dec 12)
- Re: Strategies for teaching secure coding practices David Evans (Dec 12)
- Re: Strategies for teaching secure coding practices Dana Epp (Dec 12)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 12)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 13)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 14)
- Re: Strategies for teaching secure coding practices Brian Chess (Dec 14)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 14)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
- Re: Strategies for teaching secure coding practices Jeff Williams @ Aspect (Dec 13)