Secure Coding mailing list archives
Grading Secure Programs
From: andrews at rbacomm.com (Brad Andrews)
Date: Fri, 21 Aug 2009 11:18:11 -0500
This brings up a great point. How can we grade a program's security level? Is it just a checkoff list? Which elements should be in that checkoff list? The worst part of teaching is grading papers (programs are a close second). Making that more complicated is not likely to work. I already spend more time than I want on it, how are you going to convince me to spend more time looking for "secure programs"? It won't happen. (10 seconds grading would be too long, so "enough time" is a relative rather than an absolute time.) This also ties back to what things you can really look for in most instructional programs, though this would depend on the level of the class. Still, if you are going to require a solid mathematical algorithm, you had better have spent some time going over how to implement mathematical algorithms in code. In the same way, if you want a student to check against SQL injection, you have to have taught that at some point. (Neither have to be in the same class, but they must be prerequisites and likely part of a lower level class.) Curious question: How many proclaiming "weave it into the curriculum" have worked with many lower-level classes as an instructor? -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Rob Floodeen <floodeen at gmail.com>:
2. a formal method for deducting points from a properly working but incorrectly constructed program (a "Show your work" secure coding equivalent)
Current thread:
- Where Does Secure Coding Belong In the Curriculum?, (continued)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 25)
- Functional Correctness Jim Manico (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Customer Demand Goertzel, Karen [USA] (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Neil Matatall (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Robert Seacord (Aug 21)
- Grading Secure Programs Brad Andrews (Aug 21)
- Grading Secure Programs Julie J.C.H. Ryan, D.Sc. (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Gunnar Peterson (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Stephan Neuhaus (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Brad Andrews (Aug 21)