I see your point. On the other hand, there are times I worry that "teach the
hacker mentality" approach to secure development training smacks a bit too much
teaching future policemen the delights of robbery, rape, torture, and murder in
order to prepare the to defend the public against robbers, rapists, torturers,
and murders.
Definitely teach - with examples - what it is about software that makes it so
easy to exploit and violate. But stop short of handing the students detailed
blueprints and instructions, reinforced by lots of hands-on lab time. I'm just
untrusting enough of human nature to worry that once some of them discover how
much more fun it is to hack than to defend against hacking, what you'll end up
with is not the next Bob Seacord but the next Kevin Mitnick.
At the very least, make psychological exams a prerequisite of acceptance into
your class, so you can weed out the likely psychopaths and sociopaths.
Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com
________________________________________
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf
Of Olin Sibert [u3...@siliconkeep.com]
Sent: Tuesday, August 25, 2009 8:16 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:
Exploits are FUN.
Teach from that angle, and I think you'll get more traction....
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
