Brad Andrews wrote: > Has anyone who holds to this taught a beginning level programming > class? Getting students to understand what a loop is can be hard > enough, given limited time. Diving into exploits and buffer overflows > can be much more difficult.
Getting into exploits at this level is probably more than many can handle but it's not a bad time to teach proper bounds checking and making sure any math operations don't result in overflows. Part of the lesson might even be to create loops with math that cause these errors deliberately if students are no longer taught how numbers are represented in memory and what happens when you exceed the limits directly. Might not be a bad idea though to step back on basic courses and rather than dive in to programing concepts right away start with some demonstrations of what happens with bad code and follow up with refreshers periodically through the course. Nothing in great depth unless the students can handle it but showing them what happens after coding errors might raise awareness and start them thinking what happens when this breaks rather than strictly focusing on how do it get it to work. I cringe at the thought of what I used to do in code based on the habits that started in high school and college. > I am sure some things could be put into a basic class, but the ideas > are a bit deeper. Security at the "Hello World!" or Mortgage > Calculator program level seems quite difficult. > > This bears some thinking through, but the security risks seem to be: > > - Make sure the input amount is in dollars. > - Make sure the term is numeric and within "reasonable" ranges. > - Make sure that interest rate is in the form of XX.XX. That's a great start at getting them to think about how they have to treat input and validate it. I don't recall any of my instructors ever focusing on making sure the input to anything is what was expected. I'm sure some did but I don't recall it. Even if the students don't always get it right at this point, get them started thinking about it. > Where do you inject security there? Sure, you can note the importance > of checking the data, but just because someone checks the input here > doesn't mean they will have a clue on checking the input on a web form > for an SQL injection attempt. You might not touch on this until you get to those type applications. If they were taught to question input all along though, by time you get to something like this the habit might be forming. -- Mike Lyman mly...@west-point.org _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________