Where Does Secure Coding Belong In the Curriculum?

[mlyman-cissp at comcast.net (Mike Lyman)]

Brad Andrews wrote:
> But we are not talking about separate classes.  The assertion (which I
> probably clipped, sorry) was that it should be woven into the
> curriculum.  I was noting where and how to do so, starting in the
> intro level classes.  Just telling a starting programmer to properly
> check input length is all well and good, but falls far short of making
> a secure programmer. 

Sorry if this comes across as a misread of the above but it touches on a
pet peeve of mine in this business. Falls far short or that doesn't fix
the problem is used quite a bit to dismiss steps we could be taking.
Since we cannot create truly secure systems or software, we need to
embrace efforts that still improve things as long as the cost of the
effort is appropriate for the gain in security. Instead of "properly
check input length is all well and good, but falls far short of making a
secure programmer" I prefer to think of all the security bugs we could
have avoided if most programmers has a well ingrained habit of doing
just that. We'd still have a lot of problems left to address but we'd
have avoided a lot of pain if this little thing had been taught better
or even taught at all. (When I do secure development intro type classes,
my if you only take one thing away from today, make it Don't Trust
Input. You'll learn the rest later but that one thing will fix many
problems.)

I went to a different type college than most people. It exists to train
officers for the US Army. Most of the military training focuses on basic
soldier skills and the things we needed to know to lead small units at
the lieutenant level with platoons and captain level with companies if
we had to. We knew enough of the higher level skills to be able to put
what we were doing into context and maybe, if we got into a really bad
spot, we could, for a time, command a battalion or brigade until
somebody else could get there to take over. We weren't ready to be
generals yet but we were reasonably ready for where we were in our
careers for the first several years and most knew there was still a lot
we had to learn and practice to really be good lieutenants even though
we'd spent four years preparing for the job.

> Some will sit through a class with glazed eyes and no understanding.

We'll always have that. The old doctor joke about 50% of the doctors out
there graduated in the bottom half of their class applies to our
industry as well with the added burden of plenty doing what we do with
no formal training at all. There are reasons we do peer reviews, formal
code reviews and testing. This is just a small piece of the puzzle that
has not been addressed well enough but it is just a piece.
-- 

Mike Lyman
mlyman at west-point.org