Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Where Does Secure Coding Belong In the Curriculum?

From: list-spam at secureconsulting.net (Benjamin Tomhave)
Date: Tue, 25 Aug 2009 08:25:50 -0700
It's a catch-22, and there's certainly no need to be snarky about it.
You cannot teach advanced grammar to a student with no language skills.
Similarly, to think you can teach secure coding to a student with no
coding skills is follow. I think James McGovern's suggestion is probably
the best alternative, having students evaluate and analyze the
difference between good and bad code. However, I think the utility in
that approach will quickly deteriorate as the students gain more skill
in writing their own code. The lazy coder will win out in the end when
there are deadlines to be met.

As for our hacker friends, if we want to go down that path, then I
submit that this war is already very much lost. Hanging out with some of
the crews at Defcon this year was an eye-opening experience. We are so
far behind the curve that it is irrational to think that we will ever
catch-up unless the entire battlefield is changed, and the rules of
engagement along with them. So many mistakes have been made in
generations before mine that we are now trapped in a box of our own
making that has us squabbling over academic minutiae like how to teach
secure coding when we should not have to consider this topic at all -
the code itself should be inherently secure. This is not, incidentally,
FUD - it's fact, to which not nearly enough people have direct exposure.

-ben

Goertzel, Karen [USA] wrote:

For consistency's sake, I hope you agree that if security is an
intermediate-to-advanced concept in software development, then all
the other "-ilities" ("goodness" properties, if you will), such as
quality, reliability, usability, safety, etc. that go beyond "just
get the bloody thing to work" are also intermediate-to-advanced
concepts.

In other words, teach the "goodness" properties to developers only
after they've inculcated all the bad habits they possibly can, and
then, when they are out in the marketplace and never again
incentivised to actually unlearn those bad habits, TRY desperately to
change their minds using nothing but F.U.D. and various other
psychological means of dubious effectiveness.

Great strategy! Our hacker friends will love it.

Karen Mercedes Goertzel, CISSP Associate 703.698.7454 
goertzel_karen at bah.com ________________________________________ From:
sc-l-bounces at securecoding.org [sc-l-bounces at securecoding.org] On
Behalf Of Benjamin Tomhave [list-spam at secureconsulting.net] Sent:
Monday, August 24, 2009 8:35 PM To: sc-l at securecoding.org Subject:
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Two quick comments in catching up on the thread...

First, security in the software development concept is at least an 
intermediate concept, if not advanced....



-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"If at first you don't succeed, failure might be your thing."
Warren Miller, Impact
Previous By Date Next
Previous By Thread Next

Current thread: