Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that bridge computer architecture, code structure, and various other problems.
Second, as long as "the right way" is not the same as "the easy way" then there will always be a disconnect. Perhaps this means that the language itself needs to require strong type checking that enforce appropriate secure coding behavior? Or maybe this is even enforced at the compiler level? (there have, of course, been problems with compilers, too, particularly in optimization mode) cheers, -ben Brad Andrews wrote: > > But we are not talking about separate classes. The assertion (which I > probably clipped, sorry) was that it should be woven into the > curriculum. I was noting where and how to do so, starting in the intro > level classes. Just telling a starting programmer to properly check > input length is all well and good, but falls far short of making a > secure programmer. > > I have no doubt that you can teach some new developers the principles in > a short time and make them more productive than those who have been > programming longer term. They don't have to unlearn anything! But this > will not work for everyone. Some will sit through a class with glazed > eyes and no understanding. > > Also remember we will have to get outside those with a fairly high level > of motivation (internal or external) for learning the material to be > successful. > > I also would like to see how you would teach secure development, with > minimal extra time load, in a basic programming sequence, possibly even > at a non-traditional or lower tier school. We won't make significant > progress until we can do that, and it still leaves out the "self taught." > -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Moore's Law: "The number of transistors on an integrated circuit will double in about 18 months." http://globalnerdy.com/2007/07/18/laws-of-software-development/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
