Secure Coding mailing list archives
Re: Strategies for teaching secure coding practices
From: Crispin Cowan <crispin () immunix com>
Date: Sat, 13 Dec 2003 04:10:23 +0000
Carl G. Alphonce wrote: I am a recent subscriber to this list and also an educator. I teach primarily undergraduate courses, often the first and second semester courses, and I am very interested to hear from the list what you all consider to be important "secure coding" topics to cover in these first-year classes. Also, what topics to you feel should be covered in an undergraduate curriculum but later than the first year? The overall philosophy of secure coding is to write all code as if any code not on the page is out to get you, or at least will do things improperly. Check *everything*! Do not assume that the parameters to a function will be properly formatted or within bounds. The business with string overflows and pointer handling are just instances of this philosophy. To give you some context, our first-year sequence currently takes an OO approach, incorporating design patterns and discussions of the merits of alternative designs. We also introduce some team-based work in the second semester, and I am will begin to incorporate test-first practices (using JUnit) this coming spring semester. The secure coding philosophy is independent of OO methodologies, but can be applied there. Here's some ideas: * Object constructors should initialize all fields with valid values. * Object methods should *not* assume that objects have been properly initialized. * Objects are abstract data types, and therefore strong bounds can often be placed on valid data values. Insert checks all over the place that more tightly restrict data to those valid values. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- Strategies for teaching secure coding practices Carl G. Alphonce (Dec 12)
- Re: Strategies for teaching secure coding practices Jose Nazario (Dec 12)
- Re: Strategies for teaching secure coding practices Keith Watson (Dec 12)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
- Re: Strategies for teaching secure coding practices Andrew Gray (Dec 12)
- Re: Strategies for teaching secure coding practices David Evans (Dec 12)
- Re: Strategies for teaching secure coding practices Dana Epp (Dec 12)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 12)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 13)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 14)
- Re: Strategies for teaching secure coding practices Brian Chess (Dec 14)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 14)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Jeff Williams @ Aspect (Dec 13)
- <Possible follow-ups>
- RE: Strategies for teaching secure coding practices Peter Amey (Dec 15)