Where Does Secure Coding Belong In the Curriculum?

[list-spam at secureconsulting.net (Benjamin Tomhave)]

Goertzel, Karen [USA] wrote:
> We teach toddlers from the time they can walk that they shouldn't
> play in traffic. A year or two later, we teach them to look both ways
> before crossing the street. Even later - usually when they're
> approaching their teens, and can deal with "grim reality", we give
> examples that illustrate exactly WHY they needed to know those
> things.
Actually, I'm not teaching my 1 yo toddler much of anything about
traffic right now. I'm more playing guardian when she runs around the
house and making sure she doesn't get into situations for which she
would be completely and totally unprepared (and in serious danger). She
lacks the language skills to even marginally understand basic concepts
like "street" let alone "don't play in the street." I think this rather
proves my point that secure coding is not itself a fundamental concept,
but rather an intermediate-to-advanced concept. Matt Bishop's comments
are great, but they've also been applied in a context of higher ed., and
recognize the limits of student understanding at different phases of
development.

-ben

> But that doesn't mean we wait until the kids are 11 or 12 to tell
> them shouldn't play in traffic.
>
> There has to be some way to start introducing the idea even to the
> rawest of raw beginning programming students that "good" is much more
> desirable than "expedient", and then to introduce the various
> properties that collectively constitute "good" - including security.
>
> Karen Mercedes Goertzel, CISSP Associate 703.698.7454 
> goertzel_karen at bah.com ________________________________________ From:
> Andy Steingruebl [steingra at gmail.com] Sent: Tuesday, August 25, 2009
> 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave;
> sc-l at securecoding.org Subject: Re: [SC-L] Where Does Secure Coding
> Belong In the Curriculum?
>
> On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen 
> [USA]<goertzel_karen at bah.com> wrote:
> > For consistency's sake, I hope you agree that if security is an
> > intermediate-to-advanced concept in software development, then all
> > the other "-ilities" ("goodness" properties, if you will), such as
> > quality, reliability, usability, safety, etc. that go beyond "just
> > get the bloody thing to work" are also intermediate-to-advanced
> > concepts.
> >
> > In other words, teach the "goodness" properties to developers only
> > after they've inculcated all the bad habits they possibly can, and
> > then, when they are out in the marketplace and never again
> > incentivised to actually unlearn those bad habits, TRY desperately
> > to change their minds using nothing but F.U.D. and various other
> > psychological means of dubious effectiveness.
>
> Seriously?  We're going to teach kids in 5th grade who are just 
> learning what an algorithm is how to protect against malicious
> inputs, how to make their application fast, handle all exception
> conditions, etc?
>
> ...

-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"That which has always been accepted by everyone, everywhere, is almost
certain to be false."
Paul Valery