Where Does Secure Coding Belong In the Curriculum?

[Kevin.Wall at qwest.com (Wall, Kevin)]

Ben Tomhave wrote:
> Wall, Kevin wrote:
> > I don't mean to split hairs here, but I think "fundamental concept"
> > vs "intermediate-to-advanced concept" is a red herring. In your case
> > of you teaching a 1 yr old toddler, "NO" is about the only thing
> > they understand at this point. That doesn't imply that concepts like
> > "street" are intermediate-to-advanced. It's all a matter of perspective.
> > If you are talking to someone with a Ph.D. in physics about partial
> > differential equations, PDEs *are* a fundamental concept at that level
> > (and much earlier in fact). The point is, not to argue semantics, but
> > rather to teach LEVEL-APPROPRIATE concepts.
> I think you do mean to split hairs, and I think you're right to do so.
> Context is very important. For example, all this talk about
> where to fit secure coding into the curriculum is great, but it also
> ignores the very arge population of self-taught coders out there,
> as well as those who learn their craft in a setting other than a
> college or university. Ergo, it still seems like we're talking at
> ends about an issue that, while important, is still only at best a
> partial solution.

Of course it's only a partial solution and I think you raise some
very valid concerns. Normally, I wouldn't consider the "self-taught"
in a discussion of where does secure coding belong in the CURRICULUM,
but we can't ignore that 800 lb gorilla either. That of course is a
much harder challenge. I suppose in some sense we should expect / hope
that these same concepts that we've been discussing are addressed in
the numerous books, periodicals, web sites, etc. where most of this
learning happens. But that's probably much more difficult sitation to
change...more of a wild, wild west in comparison to academia.

Ultimately, most sane people act in accordance with that they are
rewarded for doing things correct and disciplined for doing wrong.
In academia, we can do this with grades for students, pay and/or tenure
or other perks for professors / lecturers, etc. But once we get into
books and magazines realm, we have to look for the publishers to
reward / discipline appropriately and IMO they don't necessarily have
the same drivers as to academia.  Many publishers seem to be more
concerned with just making a quick $$ rather than being accurate
or thoroughly training people to do things correctly. (How else can you
explain books explain tabloids, unless you subscribe to the MiB theory.
And IMHO, there are plenty of "tabloid"-like publishers writing
books in the programming field, but I digress.) Getting back to my
point, you don't have that less "control" for someone putting up
their own educational web pages that profess to teach programming
to which many of the self-educated seem to rely on. There are plenty
good ones, but most I've seen seem to be oblivious to secure coding
practice (w/ exception of security-related sites such as OWASP, etc.)

So it's only things like reputation, and ultimately market
pressures that force any corrective actions in regards to publishers
of written and web material. Add to that the problem that BECAUSE
these people are self-taught, the generally don't have someone to
provide guidance to separate the wheat from the chaff like instructors
hopefully do with their students.

But if self-taught programmers are the 800 pound gorilla, then corporate
business is the 4 ton elephant.  If anything, I would say that
addressing the pressures that seem to be on corporate programmers that
come to bear _against_ secure coding practice (although unintentionally)
is the MUCH BIGGER problem. (Most people go into CS to move into industry
after all, not to stay and teach/research in academia.)

Most businesses rate secure code as a very low need and to emphasize
time-to-market (which presumably has a direct correlation to market share,
or so we've been told) over everything else. IMHO, that leads to more
slip-shod code than any other single factor. Adding defensive code to
make it more robust against attacks takes additional time, which on
large projects can be quite significant. To make matters worse, many
IT shops in the USA seem to reward the "how fast can you crank out code"
(no matter how insecure) over the "how good of quality do you deliver"
mentality. What is rewarded in IT shops is quantity of LOC cranked out
each week (wrongly widely perceived as equivalent to productivity)
over quality (less buggy code, which I believe correlates well less
vulnerabilities).

I have no sour grapes here--never wanted to move into management--yet
over my 30+ years in industry (mostly telecom), I've seen the "fast" get
rewarded, transfer to another project before things crash-and-burn, and
then go on to get promoted to some management position. And then they
continue to act this was as managers because that's what got them there.

Let's face it, the IT industry in the USA is one huge dysfunctional family.

So, I think *that's* why we've been focusing on formal education. There is a
chance, a glimmer of hope even in the most cynical of us, that if we reach
a critical mass there (and trust me, my mass is more critical than most),
we can perhaps reach a tipping point and get things turned around.

Until then, in our own circle of influence, we try the best we can to teach
others the whys and hows of secure coding. Often, that's one developer at
a time, and occassionaly, you might get the opportunity to teach a small
class. By the cynic in me says that unless we address the pressures in
business that business brings to bear (usually unintentionally) against
secure coding, we are fighting a battle that we will never win because those
forces will cause people to unlearn / forget everything that they have been
properly taught in their CS curriculum about secure coding (if we assume
for the moment we can get to that point someday, which I think we can).

Wow, how was that for a rant? :)
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html