Where Does Secure Coding Belong In the Curriculum?

[Stephan.Neuhaus at disi.unitn.it (Stephan Neuhaus)]

On Aug 25, 2009, at 17:25, Benjamin Tomhave wrote:

> You cannot teach advanced grammar to a student with no language  
> skills.

I have excellent language skills (after my gaffe with the word  
"student" on this very list, I should perhaps add "in my mother  
tongue"), but you still couldn't teach me grammar. I just don't get  
it.  On the other hand, I have known people who couldn't hold write a  
short essay if it saved their lives, yet they were brilliant in taking  
sentences apart.

> Similarly, to think you can teach secure coding to a student with no
> coding skills is follow.

I wouldn't teach "secure coding". I'd teach what Karen has termed  
"goodness properties" along with the other coding stuff like  
variables, loops and so on. Even if you teach total beginners, you  
will usually approach programming as a problem-solving exercise. But  
in order to solve an exercise, you must have at least some notion of  
what constitutes a valid solution. So even complete beginners have a  
notion of what it means for the program to produce the desired result.  
And from that basic understanding of correctness to "the program  
should not behave in any unexpected way, even when attacked" it is not  
that far.

Best,

Stephan