Re: Is developer education a lost cause?

[Pascal Meunier <pmeunier () cerias purdue edu>]

You can't make good cooking by concentrating on the quality of only one
ingredient at a time and say: "I'm not getting a great cake by getting
better eggs, so I should not put efforts into getting and using good eggs"
(repeat with flour, sugar, butter, leavening, and then despair that you'll
never get a great cake :-).

    I have seen code quality improve with little or no additional
programming time simply by making a student aware of those repeated mistakes
and trust issues.  Did they make perfect code immediately afterwards?  No.
But it improved.  I believe that code quality would improve even more with
management support, better programming languages and automated checkers, and
development practices that support code reviews, and consumers that demand
secure products and are willing to "pay" (in one way or another) for them.
None of these can be isolated completely from the others.  There's no magic
recipe or lost cause!

Perhaps now Democrats will be quite motivated in funding computer security
initiatives and research, which could help :-).  I wonder if the responsible
people will be brought to court.  I hope that the result won't be more
stupid legislation.

Cheers,
Pascal

Pascal Meunier, Ph.D., M.Sc., CISSP
Assistant Research Scientist
Purdue University CERIAS

On 1/22/04 4:55 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:

> Hi all,
>
> Over on the Full-Disclosure mailing list, there was a recent thread that
> questioned whether trying to educate the end consumer of PC products is a
> lost cause.  Malicious software has managed to dupe unsuspecting users into
> doing things that security professionals have frowned on for many years,
> despite untold numbers of news stories warning users about the problems.
> To many, it would appear that the computing masses are...
> <diplomatic>knowledge resistant</diplomatic>.  :-)
>
> Well, if things are really that bad for the end consumer, how does the
> situation bode for the average software developer?  That is, we've all seen
> untold numbers of news stories about buffer overflows and the like.  Why is
> it that we don't seem to be making much progress in stamping out these
> things?  (I should note that I am not including present company here on
> SC-L in this question, since we're presumably all here because we're
> concerned enough about secure application development that we want
> to discuss and learn with other like-minded folk.)
>
> Is developer education a lost cause?
>
> I happen to think that it isn't, but that opinion isn't shared by everyone.
> Indeed, a few of the people that I talked with about participating here on
> SC-L were relucant because they were fed up with trying to educate the
> masses.  
>
> If you agree that it isn't a lost cause, then what more {c|sh}ould be done?
> That said, how do we measure or even know if things are improving?  By the
> number of vulnerability advisories per month?  (I hope not.)
>
> Cheers,
>
> Ken van Wyk