Secure Coding mailing list archives
Re: Education and security -- another perspective (was "ACM Queue - Content")
From: James Walden <jwalden () eecs utoledo edu>
Date: Wed, 07 Jul 2004 19:01:01 +0100
Crispin Cowan wrote: Another perspective (overheard at a conference 12 years ago): * Scientists build stuff in order to learn stuff. * Engineers learn stuff in order to build stuff. I think that's about as accurate a summary of the distinction as you can make in 16 words. What makes it even more fuzzy in our case is that computer science does not fit in any one category, as it's a conglomerate of maths, science, and engineering. That may be why some universities are moving from departments of computer or information science to schools of computer or information science. ... however, the programming skills that universities teach is usually a side-effect of something else they are teaching: topics like algorithms, graphics, database, operating systems, networking, etc. They teach you the topic, give you a development project in that topic, and expect you to pick up the programming skills along the way. What is broken about all this is security: the above approach teaches the kiddies to implement software anyway they can, under a lot of time pressure, and with very little QA pressure: graders have no time to rigorously test assignment hand-ins, and certainly not time to pen-test them. I agree that programming being taught as an afterthought is one of the major sources of the problem with security, and it's related to computer science being a conglomerate of disciplines. CS today feels like we're studying natural philosophy in the days before biology, chemistry, and physics became their own disciplines. It worked when computer science was a younger field, but there's so much to study today that we can't fit all of it into a four year curriculum. There are only a few solutions to adding security to the curriculum in this sutation: 1) remove other material to add security in its place, 2) expand the number of required classes and thus time for a degree, or 3) specialize CS into multiple disciplines, at least one of which has room for security in its curriculum. I think the third choice is the likely and best long term solution, and the first is the most workable short term solution. -- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/
Current thread:
- Re: Education and security -- another perspective (was "ACM Queue - Content"), (continued)
- Re: Education and security -- another perspective (was "ACM Queue - Content") ljknews (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Jose Nazario (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Blue Boar (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Jose Nazario (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Fernando Schapachnik (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Blue Boar (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Blue Boar (Jul 08)
- Re: Education and security -- plus safety, reliability and availability Jim & Mary Ronback (Jul 08)
- Re: Education and security -- plus safety, reliability and availability Dana Epp (Jul 08)
- Re: Education and security -- another perspective (was "ACM Queue - Content") Crispin Cowan (Jul 06)
- Re: Education and security -- another perspective (was "ACM Queue - Content") James Walden (Jul 07)