Re: ACM Queue article and security education

[James Walden <jwalden () eecs utoledo edu>]

Kenneth R. van Wyk wrote:
Overall, I like and agree with much of what Marcus said in the article.  
I don't, however, believe that we can count on completely putting 
security "below the radar" for developers.  Having strong languages, 
compilers, and run-time environments that actively look out for and 
prevent common problems like buffer overruns are worthy goals, to be 
sure, but counting solely on them presumes that there are no security 
problems at the design, integration, or operations stages of the 
lifecycle.  Even if the run-time environment that Marcus advocates is 
_perfect_ in its protection, these other issues are still problematic 
and require the developers and operations staff to understand the problems.


I agree that you can't solve all security problems with development tools, but 
I think security tools are a worthwhile investment because deploying tools can 
be accomplished much more quickly than educating developers, tools can help 
experienced developers, and tools can raise awareness of software security 
issues.  The article's mention of people creating patches to eliminate compiler 
security warnings may indicate that I'm too optimistic about tools raising 
awareness, but I think that some developers will learn from their tools.


Yup, but in the "belt and suspenders" approach that I like to advocate, 
I'd like to see software security in our undergrad cirricula as well as 
professional training that helps developers understand the security 
touch points throughout the development process -- not just during the 
implementation phase.


I agree.  Students should see software security in all development phases 
relevant to each software course that they take; software engineering in 
particular should address security topics in all phases of the development 
process.  I think there's an additional need for a class focused purely on 
security to put all the elements of security together.


Peter G. Neumann wrote:
> Gee, Some of us have been saying that for 40 years.

I can't deny that even if I have only been reading your comp.risks digest for a 
little more than a third of that span, but I think the fact that today's 
security problems are directly and indirectly impacting large segments of the 
population has increased awareness of security problems, and, as a result, 
we're seeing a rise in security education.  Many of us like to think that 
computer science changes rapidly, and it does compared to older fields like 
physics, where you have to go to graduate school to study much that was 
developed after the 1930's, but I suspect most people in any field avoid change 
until it's forced upon them.


--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/
[EMAIL PROTECTED]