Where Does Secure Coding Belong In the Curriculum?

[chandra at list.org (Pravir Chandra)]

The "playing in traffic" example is one extreme end of the spectrum. A
good analogy for the other end might be physics where you just teach
Newtonian theory it as if it were 100% accurate and then, if the
student decides to take a relativistic physics class, you teach them
on day 1 that everything they know isn't right. It seems teaching
secure programming must lie somewhere between these two ends of the
spectrum.

Perhaps a more useful exercise (rather than debating where in the
gradient through metaphor) is to try to enumerate the variables that
play into what draws a topic toward one end or the other. Such
variables might include:
 * "stickiness" of the bias/habits acquired as you learn more
 * impetus to learn more
 * ability/access to learn more

Just a thought.

p.


On 8/25/09, Goertzel, Karen [USA] <goertzel_karen at bah.com> wrote:
> We teach toddlers from the time they can walk that they shouldn't play in
> traffic. A year or two later, we teach them to look both ways before
> crossing the street. Even later - usually when they're approaching their
> teens, and can deal with "grim reality", we give examples that illustrate
> exactly WHY they needed to know those things.
>
> But that doesn't mean we wait until the kids are 11 or 12 to tell them
> shouldn't play in traffic.
>
> There has to be some way to start introducing the idea even to the rawest of
> raw beginning programming students that "good" is much more desirable than
> "expedient", and then to introduce the various properties that collectively
> constitute "good" - including security.
>
> Karen Mercedes Goertzel, CISSP
> Associate
> 703.698.7454
> goertzel_karen at bah.com
> ________________________________________
> From: Andy Steingruebl [steingra at gmail.com]
> Sent: Tuesday, August 25, 2009 1:14 PM
> To: Goertzel, Karen [USA]
> Cc: Benjamin Tomhave; sc-l at securecoding.org
> Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
>
> On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
> [USA]<goertzel_karen at bah.com> wrote:
> > For consistency's sake, I hope you agree that if security is an
> > intermediate-to-advanced concept in software development, then all the
> > other "-ilities" ("goodness" properties, if you will), such as quality,
> > reliability, usability, safety, etc. that go beyond "just get the bloody
> > thing to work" are also intermediate-to-advanced concepts.
> >
> > In other words, teach the "goodness" properties to developers only after
> > they've inculcated all the bad habits they possibly can, and then, when
> > they are out in the marketplace and never again incentivised to actually
> > unlearn those bad habits, TRY desperately to change their minds using
> > nothing but F.U.D. and various other psychological means of dubious
> > effectiveness.
>
> Seriously?  We're going to teach kids in 5th grade who are just
> learning what an algorithm is how to protect against malicious inputs,
> how to make their application fast, handle all exception conditions,
> etc?
>
> ...
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________


-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~