Secure Coding mailing list archives
Where Does Secure Coding Belong In the Curriculum?
From: mlyman-cissp at comcast.net (Mike Lyman)
Date: Wed, 26 Aug 2009 09:15:03 -0500
Benjamin Tomhave wrote:
First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that bridge computer architecture, code structure, and various other problems.
Like most technical skills, there is a range of skills that play into secure software. When you are teaching hello world, you are not coving program architecture and requirements management. In a similar way you are not going to get into advanced secure software concepts when you are teaching hello world. You teach the appropriate skill levels at the appropriate time and some of these are going to be skills that play into secure programming. For students at perhaps the high school level and above, you can probably even begin to introduce them as things that impact security even if the focus is mainly on doing things right. Bad habits develop early and we need to prevent them as early as possible. Earlier I related how I had college instructors tell us not to worry about extras like error handling but to concentrate on the lesson he was trying to teach us. Clearly many of us were able to worry about error handling, we were trying to do it. We tried to do user friendly interfaces (command line at the time) and respond to incorrect input, don't bother with that, just concentrate on the lesson. The wrong lessons were taught those days. Forget the implied requirements, just get the job done as quickly as possible. Wrong lesson. Early on, way back in high school, I learned about problems with dividing by zero and learned to check for it even if it wasn't explicitly in the code. That was the beginning of input validation. Early on I learned the limits of integer types on computers (also in high school), that was the beginning of learning about integer overflow problems. Secure coding needs to be injected into the entire curriculum to keep the bad habits from developing early but it needs to be done at a skills appropriate level. We're not going to teach people to do a threat modeling when they are doing hello world. We can't teach people to validate input when they have not had any lessons on comparison operators, if statements or case statements etc. Once they've had those though, some basic input validation becomes a great programming assignment to test their understanding of those skills. -- Mike Lyman mlyman at west-point.org
Current thread:
- Where Does Secure Coding Belong In the Curriculum?, (continued)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 27)
- Message not available
- Where Does Secure Coding Belong In the Curriculum? Olin Sibert (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Kenneth Van Wyk (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Matt Bishop (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Matt Bishop (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Benjamin Tomhave (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 26)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)