Ben Tomhave wrote:
Wall, Kevin wrote:
I don't mean to split hairs here, but I think fundamental concept
vs intermediate-to-advanced concept is a red herring. In your case
of you teaching a 1 yr old toddler, NO is about the only thing
they understand at this point. That doesn't imply
Yet another perspective. I believe that this question may be somewhat
flawed as it doesn't take into consideration certain demographic
challenges. Right now the model seems to be based on either being
academic (sitting through a semester of some old fog with no real-world
experience blabbering
. End of discussion...
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On
Behalf Of Jim Manico [...@manico.net]
Sent: Tuesday, August 25, 2009 11:17 PM
To: Benjamin Tomhave
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure
Personally I think secure coding should be included in the entire
curriculum irrespective of the level. People learn habits early on
that they tend to carry for as long as they are programmers. How many
programmers that learned the KR style of indentation for example
continue to use it as their
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf
Of McGovern, James F (HTSC, IT) [james.mcgov...@thehartford.com]
Sent: Tuesday, August 25, 2009 2:09 PM
To: Secure Code Mailing List
Subject: [SC-L] Where Does Secure Coding Belong
James McGovern wrote...
- Taking this one step further, how can we convince
professors who don't
teach secure coding to not accept insecure code from their students.
Professors seed the students thinking by accepting anything
that barely
works at the last minute. Universities need to be
: Benjamin Tomhave; sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
[USA]goertzel_ka...@bah.com wrote:
For consistency's sake, I hope you agree that if security is an
intermediate-to-advanced concept
Matt Bishop wrote:
Instead, what you can do is frame the issues as good programming. When
teaching for loops, teach the idea of a limit (upper and lower
bounds). Then when you get to arrays, it's natural to discuss bounds
checking in the context of iteration (I don't phrase it that way, of
Associate 703.698.7454
goertzel_ka...@bah.com From:
Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009
1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave;
sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding
Belong
Ben,
Let's just hope that the code isn't compiled with -O3 or similar,
creating an unintended bug. :)
http://isc.sans.org/diary.html?storyid=6820
Brings back memories -- the first day on the job as a summer intern I
had to track down a bug in a UNIX device driver. Turned out the
optimizer
Matt Bishop wrote:
And that's an artifact of a lack of resources for the type of grading.
Give classes the support to do this, and I suspect you'd see people get
in the habit of writing better code. Better, use students and people
from industry who know this stuff to staff a clinic analogous
So many mistakes have been made in
generations before mine that we are now trapped in a box of our own
making that has us squabbling over academic minutiae like how to teach
secure coding when we should not have to consider this topic at all -
the code itself should be inherently secure.
Brad Andrews writes...
I had proofs in junior high Geometry too, though I do not recall using
them outside that class. I went all the way through differential
equations, matrix algebra and probability/statistics and I don't
recall much focus on proofs. This was in the early 1980s in a good
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:
Exploits are FUN.
I agree, at least to a point. Whenever I work exploits into my
workshops, the results are right on the mark. So long as the exploits
are balanced with just the right amount of remediations, it works great.
The key is
...@bah.com
From: Benjamin Tomhave [list-s...@secureconsulting.net]
Sent: Wednesday, August 26, 2009 12:27 AM
To: Goertzel, Karen [USA]
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Goertzel, Karen [USA] wrote:
We
@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I had proofs in junior high Geometry too, though I do not recall using
them outside that class. I went all the way through differential
equations, matrix algebra and probability/statistics and I don't
recall much
, August 25, 2009 8:16 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:
Exploits
[...@manico.net]
Sent: Tuesday, August 25, 2009 11:17 PM
To: Benjamin Tomhave
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I again come back to James McGovern's suggestion, which is treating
coding as an art rather than a science
Keep your Picasso out of my
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:
First, security in the software development concept is at least an
intermediate concept, if not advanced.
Not at all. That would be like saying that correctness is also an
advanced concept, because it gets in the way of coding. Security is
...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf
Of Benjamin Tomhave [list-s...@secureconsulting.net]
Sent: Monday, August 24, 2009 8:35 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Two quick comments in catching up on the thread
On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote:
You don't teach proofs - not really. The elementary and junior high
curriculum generally does not contain anything about proofs
I was talking about college students because that's when I was
properly taught programming. That may no longer
On Tue, Aug 25, 2009 at 4:09 AM, Stephan
Neuhausstephan.neuh...@disi.unitn.it wrote:
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:
First, security in the software development concept is at least an
intermediate concept, if not advanced.
Not at all. That would be like saying that
On Aug 25, 2009, at 18:07, Andy Steingruebl wrote:
Sarcasmreally? First graders are learning to do math proofs instead
of basic addition? I'm quite surprised by this./Sarcasm
Yeah, sorry. When I wrote about students I meant college
students. I don't know, is that a difference between
Ben,
First, security in the software development concept is at least an
intermediate concept, if not advanced. Riffing on Brad's comments, it
seems irrational to think that you can jump straight from structural
basics with which many students struggle (OO anybody?) directly to
concepts that
Of Benjamin Tomhave [list-s...@secureconsulting.net]
Sent: Monday, August 24, 2009 8:35 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Two quick comments in catching up on the thread...
First, security in the software development concept
1:14 PM
To: Goertzel, Karen [USA]
Cc: Benjamin Tomhave; sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
[USA]goertzel_ka...@bah.com wrote:
For consistency's sake, I hope you agree that if security
I was thinking of a beginner-level programming class. I have and it
can be a challenge, especially if they don't have the programming
mindset. Even if they do, you don't have the time for the things you
spoke about. You are focusing on basic coding constructs first. :)
--
Brad
Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I
Andy Steingruebl wrote:
I think our real question isn't just how to reach the professional
programmer trained via formal training programs, but also how to reach
the amateur programmer trained via books, trial+error, etc.
One area here is making sure examples are done correctly. The
Brad Andrews wrote:
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
Getting into exploits at this level is
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote:
If determination of functional correctness were extended from must
operate as specified under expected conditions to must operate as
specified under all conditions, functional correctness would necessarily
require security, safety, fault
Karen Goertzel wrote...
I'm more devious. I think what needs to happen is that we
need to redefine what we mean by functionally correct or
quality code. If determination of functional correctness
were extended from must operate as specified under expected
conditions to must operate as
-boun...@securecoding.org] On Behalf
Of Gary McGraw [...@cigital.com]
Sent: Thursday, August 20, 2009 2:55 PM
To: Neil Matatall; Secure Code Mailing List
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
hi neil,
For what it's worth, there is a list of universities with some
: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
hi neil,
For what it's worth, there is a list of universities with some kind of software security
curriculum on page 98 of Software Security http://swsec.com. Remember,
this list was created in 2006, and lots of other universities
Neil Matatall wrote:
So where does secure coding belong in the curriculum?
Higher Ed? High School?
Undergrad? Grad? Extension?
Secure coding needs to be taught anytime programing is taught.
From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and confuse
: Friday, August 21, 2009 8:17 AM
To: Secure Coding
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Neil Matatall wrote:
So where does secure coding belong in the curriculum?
Higher Ed? High School?
Undergrad? Grad? Extension?
Secure coding needs to be taught anytime
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote:
Inspired by the What is the size of this list? discussion, I decided I
won't be a lurker :)
A question prompted by
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
and the OWASP podcast
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
I am sure some things could be put into a basic class,
Inspired by the What is the size of this list? discussion, I decided I
won't be a lurker :)
A question prompted by
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
Here is where my enterpriseyness will show. I believe the answer to the
question of where secure coding belongs in the curiculum is somewhat
flawed and requires addressing the curiculum holistically.
If you go to art school, you are required to study the works of the
masters. You don't attempt
I'm more devious. I think what needs to happen is that we need to redefine what
we mean by functionally correct or quality code. If determination of
functional correctness were extended from must operate as specified under
expected conditions to must operate as specified under all conditions,
hi neil,
For what it's worth, there is a list of universities with some kind of software
security curriculum on page 98 of Software Security http://swsec.com.
Remember, this list was created in 2006, and lots of other universities have
jumped on the bandwagon since then.
* University of
43 matches
Mail list logo