Where Does Secure Coding Belong In the Curriculum?

[mlyman-cissp at comcast.net (Mike Lyman)]

Brad Andrews wrote:
> Has anyone who holds to this taught a beginning level programming
> class?  Getting students to understand what a loop is can be hard
> enough, given limited time.  Diving into exploits and buffer overflows
> can be much more difficult.

Getting into exploits at this level is probably more than many can
handle but it's not a bad time to teach proper bounds checking and
making sure any math operations don't result in overflows. Part of the
lesson might even be to create loops with math that cause these errors
deliberately if students are no longer taught how numbers are
represented in memory and what happens when you exceed the limits directly.

Might not be a bad idea though to step back on basic courses and rather
than dive in to programing concepts right away start with some
demonstrations of what happens with bad code and follow up with
refreshers periodically through the course. Nothing in great depth
unless the students can handle it but showing them what happens after
coding errors might raise awareness and start them thinking what happens
when this breaks rather than strictly focusing on how do it get it to
work. I cringe at the thought of what I used to do in code based on the
habits that started in high school and college.

> I am sure some things could be put into a basic class, but the ideas
> are a bit deeper.  Security at the "Hello World!" or Mortgage
> Calculator program level seems quite difficult.
>
> This bears some thinking through, but the security risks seem to be:
>
> - Make sure the input amount is in dollars.
> - Make sure the term is numeric and within "reasonable" ranges.
> - Make sure that interest rate is in the form of XX.XX.

That's a great start at getting them to think about how they have to
treat input and validate it. I don't recall any of my instructors ever
focusing on making sure the input to anything is what was expected. I'm
sure some did but I don't recall it. Even if the students don't always
get it right at this point, get them started thinking about it.

> Where do you inject security there?  Sure, you can note the importance
> of checking the data, but just because someone checks the input here
> doesn't mean they will have a clue on checking the input on a web form
> for an SQL injection attempt.

You might not touch on this until you get to those type applications. If
they were taught to question input all along though, by time you get to
something like this the habit might be forming.

-- 

Mike Lyman
mlyman at west-point.org