Where Does Secure Coding Belong In the Curriculum?

[mlyman-cissp at comcast.net (Mike Lyman)]

Benjamin Tomhave wrote:
> First, security in the software development concept is at least an
> intermediate concept, if not advanced. Riffing on Brad's comments, it
> seems irrational to think that you can jump straight from structural
> basics with which many students struggle (OO anybody?) directly to
> concepts that bridge computer architecture, code structure, and various
> other problems.
>   

Like most technical skills, there is a range of skills that play into
secure software. When you are teaching hello world, you are not coving
program architecture and requirements management. In a similar way you
are not going to get into advanced secure software concepts when you are
teaching hello world. You teach the appropriate skill levels at the
appropriate time and some of these are going to be skills that play into
secure programming. For students at perhaps the high school level and
above, you can probably even begin to introduce them as things that
impact security even if the focus is mainly on doing things right. Bad
habits develop early and we need to prevent them as early as possible.

Earlier I related how I had college instructors tell us not to worry
about extras like error handling but to concentrate on the lesson he was
trying to teach us. Clearly many of us were able to worry about error
handling, we were trying to do it. We tried to do user friendly
interfaces (command line at the time) and respond to incorrect input,
don't bother with that, just concentrate on the lesson. The wrong
lessons were taught those days. Forget the implied requirements, just
get the job done as quickly as possible. Wrong lesson. Early on, way
back in high school, I learned about problems with dividing by zero and
learned to check for it even if it wasn't explicitly in the code. That
was the beginning of input validation. Early on I learned the limits of
integer types on computers (also in high school), that was the beginning
of learning about integer overflow problems.

Secure coding needs to be injected into the entire curriculum to keep
the bad habits from developing early but it needs to be done at a skills
appropriate level. We're not going to teach people to do a threat
modeling when they are doing hello world. We can't teach people to
validate input when they have not had any lessons on comparison
operators, if statements or case statements etc. Once they've had those
though, some basic input validation becomes a great programming
assignment to test their understanding of those skills.
-- 

Mike Lyman
mlyman at west-point.org