Secure Coding mailing list archives
Fwd: re-writing college books - erm.. ahm...
From: robin at kallisti.net.nz (Robin Sheat)
Date: Wed, 8 Nov 2006 02:27:03 +1300
On Tuesday 07 November 2006 16:42, Julie J.C.H. Ryan wrote:
Folks, I've been forwarding select messages from this listserv to my nephews, who are undergrads in CS at some fairly reknown
I did a CS degree quite recently. There was simply _no_ mention of security, with the exception of passing mentions in the software engineering paper. In my 4th year (first year of postgrad), I did a paper on network security that was run by the information science department[0] for my own edification. A good paper, although it didn't cover software development security at all (and didn't intend to, either). A large amount of the programming done there is in safer languages, however. I was in the last year doing Pascal, now it's Java. They are taught C later more to give students exposure to something a bit 'closer to the metal', where less of the donkey work is taken care of. After that, it tends to develop more into specific languages as suits what people are doing (haskell, prolog, LISP, etc). It is important to note that there is no goal of teaching students to go off and be safe programmers. Computer science is seen to a reasonable extent to be a theoretical persuit. Algorithms are covered, GC methods, heuristical searchs, and so on. That many students from this tend to go off and become programmers is almost seen the same as if they went off and became plumbers, just much more common. They are, of course, expected to hang around and become academics ;) You could reasonably argue (and I'm inclined to believe it myself) that not teaching secure practices to computer science students is a problem, but I think that the underlying issue is more that security is more of a vocational thing, the same as if they were to teach, say, programming with EJB. (Note: I consider many branches of security research to fit fairly comfortably into computer science, but I don't think that things like 'avoiding buffer overflow vulnerabilities' do, the usefulness of the knowledge aside) None of this is to say that it shouldn't be taught, just to provide my opinions on why it's not taught. Given a large number of CS students _do_ go off and develop real-world software, security should be given some time. Aside: I don't think there's anything wrong with printf in Java, it is helpful, and AFAIK it's not prone to the same format string vulnerabilities as C is. [0] at my uni, information science is the more business/application-oriented computer-related department, computer science is much more like applied mathematics/biology/cognitive psychology, depending on what exactly you're doing. -- Robin <robin at kallisti.net.nz> JabberID: <eythian at jabber.kallisti.net.nz> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20061108/53dd0592/attachment.bin
Current thread:
- Fwd: re-writing college books - erm.. ahm... Julie J.C.H. Ryan (Nov 06)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Matt Bishop (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Greg Beeley (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Matt Bishop (Nov 07)
- Fwd: re-writing college books - erm.. ahm... James Walden (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Robin Sheat (Nov 07)
- Fwd: re-writing college books - erm.. ahm... Gadi Evron (Nov 07)