Where Does Secure Coding Belong In the Curriculum?

[steingra at gmail.com (Andy Steingruebl)]

On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
[USA]<goertzel_karen at bah.com> wrote:
> For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software 
> development, then all the other "-ilities" ("goodness" properties, if you will), such as quality, reliability, 
> usability, safety, etc. that go beyond "just get the bloody thing to work" are also intermediate-to-advanced concepts.
>
> In other words, teach the "goodness" properties to developers only after they've inculcated all the bad habits they 
> possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those 
> bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of 
> dubious effectiveness.

Seriously?  We're going to teach kids in 5th grade who are just
learning what an algorithm is how to protect against malicious inputs,
how to make their application fast, handle all exception conditions,
etc?

Maybe we're still having that pupil/student discussion?

In engineering disciplines we split courses into different areas of
concern but still make everyone take all of the classes whether they
are beginner or advanced.  Or, physics for example.  Or maybe
something like music lessons?  Maybe we should teach all kids about
vibrato and complex rhythms from day-1, or maybe before they have even
picked up an instrument we should make them study music theory?

I'm just having a hard time understanding why we're trying to invent
this from scratch when plenty of other disciplines, how people learn
other skills, etc. all start from basics and then get more advanced.

-- 
Andy Steingruebl
steingra at gmail.com