James McGovern wrote... > - Taking this one step further, how can we convince > professors who don't > teach secure coding to not accept insecure code from their students. > Professors seed the students thinking by accepting anything > that barely > works at the last minute. Universities need to be consistent amongst > their own teaching/thinking.
Well, actually, I think that what Matt Bishop wrote in his response to Benjamin Tomhave is the key: > But in introductory classes, I tend to focus on what I am calling > "robust" above; when I teach software security, I focus on > both, as I consider robustness part of security. > > By the way, you can do this very effectively in a beginning > programming class. When I taught Python, as soon as the students got > to basic structures like control loops (for which they had to do > simple reading), I showed them how to catch exceptions so that they > could handle input errors. When they did functions, we went into > exceptions in more detail. They were told that if they didn't handle > exceptions in their assignments, they would lose points -- and the > graders gave inputs that would force exceptions to check that > they did. > > Most people got it quickly. That is, Matt suggested a direct reward / punishment. Specifically, if the students don't account for bad input via exceptions or some other suitable mechanism, the simply loose points. Matt's right. If it boils down to grades, most students will get it, and fast. And whether we call this secure-coding, robustness, or simply correctness, it's a start. I think that too many people when they hear that we need to start teaching security at every level of CS are thinking of more complicated things like encryption, authentication protocols, Bell-LaPadula, etc. but I don't think that was where the thrust of this thread was leading. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________