Secure Coding mailing list archives
Re: Strategies for teaching secure coding practices
From: David Evans <evans () cs virginia edu>
Date: Fri, 12 Dec 2003 19:43:33 +0000
On Fri, 12 Dec 2003, Carl G. Alphonce wrote:
I am a recent subscriber to this list and also an educator. I teach primarily undergraduate courses, often the first and second semester courses, and I am very interested to hear from the list what you all consider to be important "secure coding" topics to cover in these first-year classes. Also, what topics to you feel should be covered in an undergraduate curriculum but later than the first year?
The main thing that I feel is wrong with most curricula is they spend the first 2 or more courses teaching students to write insecure code, and then (if we're lucky) try to fix this in the later courses. The approach that I've taken is to have a first course (http://www.cs.virginia.edu/cs200) that focuses on computer science, but attempts to avoid things that are hard to do right without security problems (e.g., avoid complex languages like Java and C++, avoid dealing with user input, etc.). Then, the second course (http://www.cs.virginia.edu/cs201j) attempts to teach software development practices that will result in robust, secure code. Two things we focus on particularly are writing good specifications and documenting and reasoning about invariants (students also use ESC/Java to check the invariants they are able to document formally). I wouldn't claim that most students leave the course being able to produce secure code, but I think they do leave convinced that this is hard to do and just testing their code unsystematically is not likely to produce a robust program. Cheers, --- Dave
Current thread:
- Strategies for teaching secure coding practices Carl G. Alphonce (Dec 12)
- Re: Strategies for teaching secure coding practices Jose Nazario (Dec 12)
- Re: Strategies for teaching secure coding practices Keith Watson (Dec 12)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
- Re: Strategies for teaching secure coding practices Andrew Gray (Dec 12)
- Re: Strategies for teaching secure coding practices David Evans (Dec 12)
- Re: Strategies for teaching secure coding practices Dana Epp (Dec 12)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 12)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 13)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 14)
- Re: Strategies for teaching secure coding practices Brian Chess (Dec 14)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 14)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Jeff Williams @ Aspect (Dec 13)
- <Possible follow-ups>
- RE: Strategies for teaching secure coding practices Peter Amey (Dec 15)