Fwd: re-writing college books - erm.. ahm...

[robin at kallisti.net.nz (Robin Sheat)]

On Tuesday 07 November 2006 16:42, Julie J.C.H. Ryan wrote:
> Folks, I've been forwarding select messages from this listserv to my
> nephews, who are undergrads in CS at some fairly reknown
I did a CS degree quite recently. There was simply _no_ mention of security, 
with the exception of passing mentions in the software engineering paper. In 
my 4th year (first year of postgrad), I did a paper on network security that 
was run by the information science department[0] for my own edification. A 
good paper, although it didn't cover software development security at all 
(and didn't intend to, either).

A large amount of the programming done there is in safer languages, however. I 
was in the last year doing Pascal, now it's Java. They are taught C later 
more to give students exposure to something a bit 'closer to the metal', 
where less of the donkey work is taken care of. After that, it tends to 
develop more into specific languages as suits what people are doing (haskell, 
prolog, LISP, etc). 

It is important to note that there is no goal of teaching students to go off 
and be safe programmers. Computer science is seen to a reasonable extent to 
be a theoretical persuit. Algorithms are covered, GC methods, heuristical 
searchs, and so on. That many students from this tend to go off and become 
programmers is almost seen the same as if they went off and became plumbers, 
just much more common. They are, of course, expected to hang around and 
become academics ;)

You could reasonably argue (and I'm inclined to believe it myself) that not 
teaching secure practices to computer science students is a problem, but I 
think that the underlying issue is more that security is more of a vocational 
thing, the same as if they were to teach, say, programming with EJB. (Note: I 
consider many branches of security research to fit fairly comfortably into 
computer science, but I don't think that things like 'avoiding buffer 
overflow vulnerabilities' do, the usefulness of the knowledge aside)

None of this is to say that it shouldn't be taught, just to provide my 
opinions on why it's not taught. Given a large number of CS students _do_ go 
off and develop real-world software, security should be given some time.

Aside: I don't think there's anything wrong with printf in Java, it is 
helpful, and AFAIK it's not prone to the same format string vulnerabilities 
as C is.

[0] at my uni, information science is the more business/application-oriented 
computer-related department, computer science is much more like applied 
mathematics/biology/cognitive psychology, depending on what exactly you're 
doing.

-- 
Robin <robin at kallisti.net.nz> JabberID: <eythian at jabber.kallisti.net.nz>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20061108/53dd0592/attachment.bin