[SC-L] Where Does Secure Coding Belong In the Curriculum?
Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html /redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtmlurlhash=c5OA_t=disc_detail_link and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? I started a discussion in the Educause group on linked in. I guess it requires authentication and possibly group membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=gid=138011discussionID=5737656 It looks like some Universities are offering courses now... Neil ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Here is where my enterpriseyness will show. I believe the answer to the question of where secure coding belongs in the curiculum is somewhat flawed and requires addressing the curiculum holistically. If you go to art school, you are required to study the works of the masters. You don't attempt to paint a Picasso in the first semester, yet us IT folks think it is OK to write code before studying the differences between good code and bad code. If a student never learns good from bad and over time develops bad habits, then teaching security at ANY stage later in life is the wrong answer. We need to remix the way IT is taught in Universities and revisit the fundamentals of how to approach IT as a whole. My second and conflicting opinion says that Universities shouldn't be teaching secure code as they won't get it right. Students should understand the business/economic impact that lack of secure coding causes. If this is left strictly to Universities, it will most certainly feel academic (in the bad sense). A person doesn't become a real IT professional until they have a few years of real-world experience under their belts and therefore maybe this is best left to their employers as part of professional development and/or Master's programs that are IT-focused but not about the traditional computer-science/software engineering way of thinking... http://twitter.com/mcgoverntheory This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What is the size of this list?
Another lurker revealing himself ... my name is Matt Bishop, and I lurk at the University of California at Davis where I teach and do research in lots of areas of computer security, including (surprise!) what is traditionally called secure programming and secure software development. For what it's worth, I don't like the use of the term secure because it's too vague -- I'd prefer robust or something related to assurance, but I can't come up with a short term. Oh, well. I've been working with secure coding for many years. I'm particularly interested in the interaction between coding and policy, and also in how to teach this stuff. I've done some training (long ago, with SANS), but now I focus on college/university education (for the most part). I get lots of good examples and ideas from this list, and sometimes the postings challenge me to think about different perspectives. In particular, the discussions of how people use these techniques, and the ones people find the most pernicious and troubling, help me give realistic examples when I teach students how to write good code. So Ken, thank you for starting and maintaining this list -- I think you've done the community a great service. A thought about Rob Floodeen's comment: 2. How to incorporate the concept of secure coding and new techniques/tools to do so. This should be a minor objective through our academic curriculum as well. Just like advanced math skills, we should have advanced secure coding skills for Software Engineers. My own feeling is that this should be a basic skill for people who program, not just software engineers. But the level at which practitioners (for want of a better term) need to know this varies depending on what they do. An occasional programmer (a physicist, for example) probably doesn't need to know about race conditions and, indeed, about security in general -- but she would need to know how to write a program that checks its input (lest the results be invalid -- GIGO), which is security from her point of view. A software engineer darn well better know about race conditions, though! So I agree with what Rob posted, and I did have one thought. Is writing good English a minor objective of an English major? Probably, in the sense English curricula focus on interpretation of literature, literary criticism, and other aspects of literature. But it's an essential one. So perhaps incidental and important describes how I feel better than minor. Matt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] embedded systems security analysis
Rafael -- to clarify concretely: There are quite a few researchers that attack/exploit embedded systems. Some google searches will probably provide you with names. None of the folks I know of that actively work on exploiting embedded systems are on this listbut I figure if I know a handful of them in my small circle of software security folks - there have to be many more out there. Assuming you are safe is not just a dangerous assumption: but wrong. Specifically - One researcher I know pulls boards system components apart and finds out who the source IC and component makers are. Then they contact the component and IC makers and pretends to be the board or system vendor who purchased the components, and asks for documentation, debuggers, magic access codes hidden in firmware (if he cannot reverse them). If this fails, the researcher has also befriended people at companies who do work with the IC or board maker, traded them information, in exchange for debuggers and the like. This particular researcher does not publish any of their research in this area. They do it mainly (I think) to help build better tools and as a hobby. (Several of you on this list probably know exactly whom I'm talking about. This person would prefer privacy, and I think the person's employer demands it, unless you get him in person and feed him enough beer.) If I were a bettin' man I'd figure if I know a few person doing this type of thing for quite a few years now -- there are bound to be many, many more Not sure what list to go to for talks on that type of thing. Blackhat.com has some older presentations on this subject. -- Arian Evans On Wed, Aug 19, 2009 at 8:36 AM, Rafael Ruizrafael.r...@navico.com wrote: Hi people, I am a lurker (I think), I am an embedded programmer and work at Lowrance (a brand of the Navico company), and I don't think I can't provide too much to security because embedded software is closed per se. Or maybe I am wrong, is there a way to grab the source code from an electronic equipment? That would be the only concern for embedded programmers like me, but I just like to learn about the thinks you talk. Thank you. Greetings from Mexico. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software Security http://swsec.com. Remember, this list was created in 2006, and lots of other universities have jumped on the bandwagon since then. * University of California at Davis * University of Virginia * Johns Hopkins University * Princeton University * Purdue University (especially the CERIAS center) * Rice University * University of California at Berkeley * Stanford University * Naval Postgraduate School (a military school for graduates) * University of Idaho * Iowa State University * George Washington University * United States Military Academy at West Point Matt Bishop made some excellent points in this thread. He and I discuss the notion of education versus training at length in Silver Bullet episode 31 http://www.cigital.com/silverbullet/show-031/ part of which was transcribed here http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf. gem company www.cigital.com book www.swsec.com On 8/19/09 5:15 PM, Neil Matatall nmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html /redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtmlurlhash=c5OA_t=disc_detail_link and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? I started a discussion in the Educause group on linked in. I guess it requires authentication and possibly group membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=gid=138011discussionID=5737656 It looks like some Universities are offering courses now... Neil ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
