RE: Secure Coding? Bah!

["Patrick Chavez" <pchavez () nmt edu>]

I attend one of those three-dozen Centers of Academic Excellence in
Information Assurance Education and research in all aspects of computer
security is very active.

Many universities (mine included) offer a wealth of security related course
work.  The instructors frequently come directly from industry and are more
than qualified.

However, there is more to computer science than security!  A full course of
study focusing on security may not be as useful as it sounds.  Don't forget
data structures, algorithms, databases, graphics, etc.  When you look at it,
security doesn't really DO anything.  Do you really want a program that
doesn't accomplish anything, other than being secure?



-----Original Message-----
From: Adam Tuliper [mailto:amt () gecko-software com] 
Sent: Thursday, January 22, 2004 20:52
To: mark () curphey com; webappsec () securityfocus com
Subject: Re: Secure Coding? Bah!

credentials or not.. he's right on almost every aspect.

Almost every company I've done work at had pretty insecure
code that I had to fix. I know of almost no peer developers
who are security conscious, as well as I know no developers
personally that were taught security as part of their
training.  It never ceases to amaze me how many developers
know next to nothing about writing secure code. You tell
them about a sql injection attack and they look at you like
a dog who just heard a funny noise and turns its head
sideways. Ironically the only people I know who seme to
have any idea about security are the same ones who could
hack your systems. Seems like this needs to be more two-way
knowledge but most developers just don't care.