Where Does Secure Coding Belong In the Curriculum?

[u3902 at siliconkeep.com (Olin Sibert)]

I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:

      Exploits are FUN.

Teach from that angle, and I think you'll get more traction.

I've given a fair number of "basic security" talks to commercial
audiences. Invariably, a significant fraction of the audience,
whether they are professional programmers, inexperienced interns,
marketing types, managers, etc., end up wanting to understand
how exploits actually work and how they are prevented.  I can't
help thinking that this would be true of even the freshest of
programming/compsci students. Heck, I've even gotten that
reaction from some of my kids' high school friends.

Not everyone thinks that way, but I think if we can get students
to think "hey, that's pretty clever" instead of teaching security
as something you _must_ do because it's good for you even though
it's not obviously related to getting the job done, odds for
success are higher. Rigor needs to come eventually, but I think
it is absolutely appropriate to include some exploit-based
entertainment even at the earliest stages of education.

We should be selling sizzling steak, not cod liver oil.

Olin Sibert
Oxford Systems, Inc.