Secure Coding mailing list archives
Where Does Secure Coding Belong In the Curriculum?
From: andrews at rbacomm.com (Brad Andrews)
Date: Fri, 21 Aug 2009 15:24:07 -0500
But we are not talking about separate classes. The assertion (which I probably clipped, sorry) was that it should be woven into the curriculum. I was noting where and how to do so, starting in the intro level classes. Just telling a starting programmer to properly check input length is all well and good, but falls far short of making a secure programmer. I have no doubt that you can teach some new developers the principles in a short time and make them more productive than those who have been programming longer term. They don't have to unlearn anything! But this will not work for everyone. Some will sit through a class with glazed eyes and no understanding. Also remember we will have to get outside those with a fairly high level of motivation (internal or external) for learning the material to be successful. I also would like to see how you would teach secure development, with minimal extra time load, in a basic programming sequence, possibly even at a non-traditional or lower tier school. We won't make significant progress until we can do that, and it still leaves out the "self taught." -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Gunnar Peterson <gunnar at arctecgroup.net>:
I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the "Hello World!" or Mortgage Calculator program level seems quite difficult.I am not so sure. Granted an entry level programmer is going to be an expert, but they can be pretty effective. I have taught App Security classes where there were people with 20+ years of programming experience and people with 3 months of OJT programming experience. At the end of the two day class they each had the exact same amount of App Security training. The basic concepts of AAA and so on are not so hard to understand. My guess is its much harder to start with Hello World, with no security, add layers and layers of stuff on top of that over the decades and then have to go back and question every single thing... Someone who spent 20 years building cars with no brakes would have a different experience than someone who was taught from the get go that all cars have brakes and here is how you design/build them.
Current thread:
- Grading Secure Programs, (continued)
- Grading Secure Programs Julie J.C.H. Ryan, D.Sc. (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Gunnar Peterson (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Gunnar Peterson (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 22)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 24)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Steven M. Christey (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Jim Manico (Aug 25)