Secure Coding mailing list archives
Secure coding education
From: James Walden <jwalden () eecs utoledo edu>
Date: Fri, 09 Apr 2004 17:28:57 +0100
"And in the one area in which their recommendations could make a long term difference -- upgrading computer science courses so no one graduates if they have not had secure programming skills and knowledge inculcated in them, the document provides no effective mechanism," Paller continued. "It's terrible when the industry says 'wait for us, we'll solve the problem,' and then delivers no effective proposals." I agree that the computer science curriculum needs to add a focus on software security. If you look at the ACM/IEEE Computing Curricula 2001, you'll find security requirements under the areas of networking and operating systems, but not under the areas of programming fundamentals or software engineering. I attempt to integrate software security into all of my courses, teaching secure coding techniques that are relevant to the subject being taught (input validation everywhere, buffer overflows when using C/C++, race conditions when discussing multitasking OSes, etc.) and secure design techniques in software engineering, as well as teaching a separate computer security elective. If someone could send me a copy of the report on computer security education, I'd appreciate it. I'm curious to see what their plan is, so I could see why it's not considered effective. The largest issue I can see without having read the report is the problem of adding any new subject matter to the curricula. CS students already have an extremely heavy load of required courses, and so it will likely be necessary to remove other material in order to add software security. Software security is also not an easy subject for students to understand, as it often requires integrating knowledge from multiple areas--software design, programming languages and libraries, operating systems, and computer architecture--in order to understand a particular attack, such as the common buffer overflow. Teaching students to exploit software vulnerabilities is an essential tool for aiding student understanding, as constructing an exploit requires them integrate these disparate areas of knowledge. -- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/ [EMAIL PROTECTED] [Ed. A thousand pardons for taking so long to get this posting through the queue. I had an ill-timed disk failure on Sunday, just before leaving home for San Francisco and wasn't able to get back to the local queue until this morning. Gotta love a good backup system... KRvW]
Current thread:
- Secure coding education James Walden (Apr 09)
- Re: Secure coding education jnf (Apr 09)