Where Does Secure Coding Belong In the Curriculum?

[andrews at rbacomm.com (Brad Andrews)]

But we are not talking about separate classes.  The assertion (which I  
probably clipped, sorry) was that it should be woven into the  
curriculum.  I was noting where and how to do so, starting in the  
intro level classes.  Just telling a starting programmer to properly  
check input length is all well and good, but falls far short of making  
a secure programmer.

I have no doubt that you can teach some new developers the principles  
in a short time and make them more productive than those who have been  
programming longer term.  They don't have to unlearn anything!  But  
this will not work for everyone.  Some will sit through a class with  
glazed eyes and no understanding.

Also remember we will have to get outside those with a fairly high  
level of motivation (internal or external) for learning the material  
to be successful.

I also would like to see how you would teach secure development, with  
minimal extra time load, in a basic programming sequence, possibly  
even at a non-traditional or lower tier school.  We won't make  
significant progress until we can do that, and it still leaves out the  
"self taught."

-- 

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Gunnar Peterson <gunnar at arctecgroup.net>:

> > I am sure some things could be put into a basic class, but the   
> > ideas are a bit deeper.  Security at the "Hello World!" or Mortgage  
> >  Calculator program level seems quite difficult.
>
> I am not so sure. Granted an entry level programmer is going to be an
> expert, but they can be pretty effective. I have taught App Security
> classes where there were people with 20+ years of programming
> experience and people with 3 months of OJT programming experience. At
> the end of the two day class they each had the exact same amount of App
> Security training.
>
> The basic concepts of AAA and so on are not so hard to understand. My
> guess is its much harder to start with Hello World, with no security,
> add layers and layers of stuff on top of that over the decades and then
> have to go back and question every single thing...
>
> Someone who spent 20 years building cars with no brakes would have a
> different experience than someone who was taught from the get go that
> all cars have brakes and here is how you design/build them.