Secure Coding mailing list archives
Where Does Secure Coding Belong In the Curriculum?
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Tue, 25 Aug 2009 18:48:56 -0500
James McGovern wrote...
- Taking this one step further, how can we convince professors who don't teach secure coding to not accept insecure code from their students. Professors seed the students thinking by accepting anything that barely works at the last minute. Universities need to be consistent amongst their own teaching/thinking.
Well, actually, I think that what Matt Bishop wrote in his response to Benjamin Tomhave is the key:
But in introductory classes, I tend to focus on what I am calling "robust" above; when I teach software security, I focus on both, as I consider robustness part of security. By the way, you can do this very effectively in a beginning programming class. When I taught Python, as soon as the students got to basic structures like control loops (for which they had to do simple reading), I showed them how to catch exceptions so that they could handle input errors. When they did functions, we went into exceptions in more detail. They were told that if they didn't handle exceptions in their assignments, they would lose points -- and the graders gave inputs that would force exceptions to check that they did. Most people got it quickly.
That is, Matt suggested a direct reward / punishment. Specifically, if
the students don't account for bad input via exceptions or some other
suitable mechanism, the simply loose points.
Matt's right. If it boils down to grades, most students will get it, and
fast.
And whether we call this secure-coding, robustness, or simply correctness,
it's a start.
I think that too many people when they hear that we need to start teaching
security at every level of CS are thinking of more complicated things like
encryption, authentication protocols, Bell-LaPadula, etc. but I don't think
that was where the thrust of this thread was leading.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
that have had a prior exposure to BASIC: as potential programmers
they are mentally mutilated beyond hope of regeneration"
- Edsger Dijkstra, How do we tell truths that matter?
http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html
Current thread:
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?), (continued)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Martin Gilje Jaatun (Aug 20)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Cassidy, Colin (GE Infra, Energy) (Aug 21)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Cassidy, Colin (GE Infra, Energy) (Aug 22)
- Functional Correctness Pravir Chandra (Aug 24)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 25)
- Functional Correctness Jim Manico (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Customer Demand Goertzel, Karen [USA] (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Neil Matatall (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Robert Seacord (Aug 21)
- Grading Secure Programs Brad Andrews (Aug 21)