Where Does Secure Coding Belong In the Curriculum?

[james.walden at gmail.com (James Walden)]

On Wed, Aug 19, 2009 at 5:15 PM, Neil Matatall <nmatatal at uci.edu> wrote:
> So where does secure coding belong in the curriculum?

I think secure coding should be taught at the same time that coding is
taught.  There are aspects of security that can be taught from the
beginning, such as input validation and error handling.  It's a more
efficient and I suspect more effective means of teaching to teach
students the best known methods of secure coding first rather than
initially teaching them to code insecurely then trying to fix that
later.

Northern Kentucky University, where I teach, does this in some classes
and we're working to move it into all classes.  Secure coding is also
a large component of our computer security course, and we have a
separate secure software engineering class at the graduate level
(there is also a security module in the undergraduate software
engineering course.)

I agree with James McGovern on the need for students to study good and
bad code.  It has always surprised me how little code reading is done
in a typical computer science program, and I think this is
particularly important for security.  While you can teach students
secure coding techniques, they will likely not stick with them once
they see examples of bad code elsewhere if they don't understand the
reasons why they're using those techniques.  That's one reason why a
general computer security class is essential to the secure coding
curriculum.

James Walden
Northern Kentucky University
http://faculty.cs.nku.edu/~waldenj