Secure Coding mailing list archives
How can we stop the spreading insecure coding examples at training classes, etc.?
From: pmeunier at purdue.edu (pmeunier at purdue.edu)
Date: Tue, 29 Aug 2006 15:48:17 -0400
Quoting "Wall, Kevin" <Kevin.Wall at qwest.com>:
I think that this practice of leaving out the "security details" to just make the demo code short and sweet has got to stop. Or minimally, we have to make the code that people copy-and-paste from have all the proper security checks even if we don't cover them in training. If we're lucky, maybe they won't delete them when the re-use the code.
I agree, and would like to extend it: security should be discussed *at the same time* that a topic is. Teaching security in a separate class, like I have been doing, reaches only a fraction of the audience, and reinforces an attitude of security as an afterthought, or security as an option. Comments in the code should explain (or refer to explanations of) why changing or deleting those lines is a bad idea. However, I'm afraid that it would irritate students, and make security the new "grammar and spelling" for which points are deducted from "perfectly valid write-ups" (i.e., "it's my ideas that count, not how well I spell"). So, this idea may be more successful with professionals courses than with undergrads. As far as students go, if it's not on the test it might as well be a policy that isn't enforced, so it's not an option to try to teach it but to not grade based on it. Good luck also in trying to get all professors to update their classes and cover security correctly... Please share any answers or insights as to this dilemma. Thanks, Pascal
Current thread:
- How can we stop the spreading insecure coding examples at training classes, etc.? Wall, Kevin (Aug 27)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 28)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 29)
- How can we stop the spreading insecure coding examples attraining classes, etc.? Tim Hollebeek (Aug 30)
- CERT C Programming Language Secure Coding Standard Robert C. Seacord (Aug 31)