Where Does Secure Coding Belong In the Curriculum?

[goertzel_karen at bah.com (Goertzel, Karen [USA])]

I see your point. On the other hand, there are times I worry that "teach the hacker mentality" approach to secure 
development training smacks a bit too much teaching future policemen the delights of robbery, rape, torture, and murder 
in order to prepare the to defend the public against robbers, rapists, torturers, and murders.

Definitely teach - with examples - what it is about software that makes it so easy to exploit and violate. But stop 
short of handing the students detailed blueprints and instructions, reinforced by lots of hands-on lab time. I'm just 
untrusting enough of human nature to worry that once some of them discover how much more fun it is to hack than to 
defend against hacking, what you'll end up with is not the next Bob Seacord but the next Kevin Mitnick.

At the very least, make psychological exams a prerequisite of acceptance into your class, so you can weed out the 
likely psychopaths and sociopaths.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_karen at bah.com
________________________________________
From: sc-l-bounces at securecoding.org [sc-l-bounces at securecoding.org] On Behalf Of Olin Sibert [u3902 at 
siliconkeep.com]
Sent: Tuesday, August 25, 2009 8:16 PM
To: sc-l at securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:

      Exploits are FUN.

Teach from that angle, and I think you'll get more traction....