re-writing college books - erm.. ahm...

[ge at linuxbox.org (Gadi Evron)]

On Sun, 29 Oct 2006, Robert C. Seacord wrote:
> Gadi,
>
> I feel like I've been here before, but I'll give it another shot anyway.
>
> > Okay, than let's make some progress:
> > 1. Where and who is currently involved with doing this?
> > 2. What are they doing?
> > 3. Can we use their experience to make it a larger success?
> > 4. How do we begin doing something large-scale?
>
> The Secure Coding Initiative at CERT has a web site at
> www.securecoding.cert.org.  The purpose of this site is to collect
> secure coding recommendations and rules for various programming
> languages.  Our initial focus has been C and C++, but we are willing and
> interested in expanding this effort to other programming languages
> provided that we can find someone to manage the efforts.
>
> The C and C++ material on the site will be used as supplemental material
> to the Addison-Wesley book "Secure Coding in C and C++" in a "Secure
> Programming" course I am teaching this Spring at CMU (so it is being
> used to teach, as well as being a commercial and government resource).
> I am also working with other instructors at other educational
> institutions to develop secure coding curriculum.

We misunderstand each other. I am not speaking of a secure coding book, I
am speaking of "Introduction to Computer Science" and "The C programming
Language".

If we can use what you have already worked on to supplament these courses,
then all for the better!

> We have had significant community effort in the development of these
> secure coding standard practices so far, but we can use all the help we
> can get.  If you would like to get involved, go the sight, sign up, and
> start reviewing the material.  If you are qualified and would like to
> edit the material directly, send me email and I will grant you edit
> permissions.

I doubt I am that much of a good coder anymore.

> I think having a body of knowledge that identifies insecure coding
> practices and provides secure alternatives is a good first start, and
> not as easy as it sounds.

Agreed!
Nice work on all that!

> ---------
>
> I also had another thought about improving the quality of code examples
> in texts.  I know my publisher (Addison-Wesley), and I'm sure others,
> are very concerned about quality.  I could ask my editor if they would
> be willing to make sure that someone with a security background reviewed
> any new programming texts.  If we can come up with a list of subject
> matter experts willing to review new texts, I'm guessing they would be
> very happy to have our feedback.

That sounds like a very good idea! I am sure many would agree to get some
extra cash for reviewing, thing is, that doesn't pay very well.

> rCs