Secure Coding mailing list archives
Where Does Secure Coding Belong In the Curriculum?
From: list-spam at secureconsulting.net (Benjamin Tomhave)
Date: Tue, 25 Aug 2009 08:25:50 -0700
It's a catch-22, and there's certainly no need to be snarky about it. You cannot teach advanced grammar to a student with no language skills. Similarly, to think you can teach secure coding to a student with no coding skills is follow. I think James McGovern's suggestion is probably the best alternative, having students evaluate and analyze the difference between good and bad code. However, I think the utility in that approach will quickly deteriorate as the students gain more skill in writing their own code. The lazy coder will win out in the end when there are deadlines to be met. As for our hacker friends, if we want to go down that path, then I submit that this war is already very much lost. Hanging out with some of the crews at Defcon this year was an eye-opening experience. We are so far behind the curve that it is irrational to think that we will ever catch-up unless the entire battlefield is changed, and the rules of engagement along with them. So many mistakes have been made in generations before mine that we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure. This is not, incidentally, FUD - it's fact, to which not nearly enough people have direct exposure. -ben Goertzel, Karen [USA] wrote:
For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other "-ilities" ("goodness" properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond "just get the bloody thing to work" are also intermediate-to-advanced concepts. In other words, teach the "goodness" properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Great strategy! Our hacker friends will love it. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_karen at bah.com ________________________________________ From: sc-l-bounces at securecoding.org [sc-l-bounces at securecoding.org] On Behalf Of Benjamin Tomhave [list-spam at secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l at securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced....
-- Benjamin Tomhave, MS, CISSP falcon at secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "If at first you don't succeed, failure might be your thing." Warren Miller, Impact
Current thread:
- Where Does Secure Coding Belong In the Curriculum?, (continued)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Steven M. Christey (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Jim Manico (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 27)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Andy Steingruebl (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 25)
- Inherently Secure Code? Brad Andrews (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Pete Werner (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Andy Murren (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Andy Steingruebl (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Pravir Chandra (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 26)