Where Does Secure Coding Belong In the Curriculum?

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Yet another perspective. I believe that this question may be somewhat
flawed as it doesn't take into consideration certain demographic
challenges. Right now the model seems to be based on either being
academic (sitting through a semester of some old fog with no real-world
experience blabbering theory) or in the professional world and their
ability to bring in consultants to perform in-house training (in a
highly constrained time crunch).

So, if you are an employee of a small software company, how do you learn
to write secure code? Academia hasn't yet adjusted to the modern world
of professionals where education needs to be a component in work/life
balance and not an impediment to it and therefore this isn't really an
option for the masses. Likewise, if you aren't employed by a large
enterprise with a training budget that can hire all these training firms
that want to do onsite classes for dozens of employees, you are left
with reading lots of books on your free time, a few OWASP TV videos and
google.

One of the more interesting experiences that I had was that a professor
at RPI uses one of the books I am the lead author for in his class. If I
wanted to be a guest lecturer, this would be no problem, yet if I wanted
to get credit for the course, I would actually have to sit through the
entire thing which would be as interesting as watching paint dry. I have
on several occasions made the offer that I will pay for all fees for a
given course upfront and I want to take the final exam. If I did not
score 100% you could fail me and still no university would take my
offer.

We got to find a balance between one-day train the world in corporate
America and months upon months of mind-numbling indoctrination that
universities push if we are to truly conquer the challenge of secure
coding.

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, 
confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, 
dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender 
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************