Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Ben Tomhave wrote: Wall, Kevin wrote: I don't mean to split hairs here, but I think fundamental concept vs intermediate-to-advanced concept is a red herring. In your case of you teaching a 1 yr old toddler, NO is about the only thing they understand at this point. That doesn't imply that concepts like street are intermediate-to-advanced. It's all a matter of perspective. If you are talking to someone with a Ph.D. in physics about partial differential equations, PDEs *are* a fundamental concept at that level (and much earlier in fact). The point is, not to argue semantics, but rather to teach LEVEL-APPROPRIATE concepts. I think you do mean to split hairs, and I think you're right to do so. Context is very important. For example, all this talk about where to fit secure coding into the curriculum is great, but it also ignores the very arge population of self-taught coders out there, as well as those who learn their craft in a setting other than a college or university. Ergo, it still seems like we're talking at ends about an issue that, while important, is still only at best a partial solution. Of course it's only a partial solution and I think you raise some very valid concerns. Normally, I wouldn't consider the self-taught in a discussion of where does secure coding belong in the CURRICULUM, but we can't ignore that 800 lb gorilla either. That of course is a much harder challenge. I suppose in some sense we should expect / hope that these same concepts that we've been discussing are addressed in the numerous books, periodicals, web sites, etc. where most of this learning happens. But that's probably much more difficult sitation to change...more of a wild, wild west in comparison to academia. Ultimately, most sane people act in accordance with that they are rewarded for doing things correct and disciplined for doing wrong. In academia, we can do this with grades for students, pay and/or tenure or other perks for professors / lecturers, etc. But once we get into books and magazines realm, we have to look for the publishers to reward / discipline appropriately and IMO they don't necessarily have the same drivers as to academia. Many publishers seem to be more concerned with just making a quick $$ rather than being accurate or thoroughly training people to do things correctly. (How else can you explain books explain tabloids, unless you subscribe to the MiB theory. And IMHO, there are plenty of tabloid-like publishers writing books in the programming field, but I digress.) Getting back to my point, you don't have that less control for someone putting up their own educational web pages that profess to teach programming to which many of the self-educated seem to rely on. There are plenty good ones, but most I've seen seem to be oblivious to secure coding practice (w/ exception of security-related sites such as OWASP, etc.) So it's only things like reputation, and ultimately market pressures that force any corrective actions in regards to publishers of written and web material. Add to that the problem that BECAUSE these people are self-taught, the generally don't have someone to provide guidance to separate the wheat from the chaff like instructors hopefully do with their students. But if self-taught programmers are the 800 pound gorilla, then corporate business is the 4 ton elephant. If anything, I would say that addressing the pressures that seem to be on corporate programmers that come to bear _against_ secure coding practice (although unintentionally) is the MUCH BIGGER problem. (Most people go into CS to move into industry after all, not to stay and teach/research in academia.) Most businesses rate secure code as a very low need and to emphasize time-to-market (which presumably has a direct correlation to market share, or so we've been told) over everything else. IMHO, that leads to more slip-shod code than any other single factor. Adding defensive code to make it more robust against attacks takes additional time, which on large projects can be quite significant. To make matters worse, many IT shops in the USA seem to reward the how fast can you crank out code (no matter how insecure) over the how good of quality do you deliver mentality. What is rewarded in IT shops is quantity of LOC cranked out each week (wrongly widely perceived as equivalent to productivity) over quality (less buggy code, which I believe correlates well less vulnerabilities). I have no sour grapes here--never wanted to move into management--yet over my 30+ years in industry (mostly telecom), I've seen the fast get rewarded, transfer to another project before things crash-and-burn, and then go on to get promoted to some management position. And then they continue to act this was as managers because that's what got them there. Let's face it, the IT industry in the USA is one huge dysfunctional family. So, I think *that's* why we've been focusing on formal education. There is a chance, a glimmer of
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Yet another perspective. I believe that this question may be somewhat flawed as it doesn't take into consideration certain demographic challenges. Right now the model seems to be based on either being academic (sitting through a semester of some old fog with no real-world experience blabbering theory) or in the professional world and their ability to bring in consultants to perform in-house training (in a highly constrained time crunch). So, if you are an employee of a small software company, how do you learn to write secure code? Academia hasn't yet adjusted to the modern world of professionals where education needs to be a component in work/life balance and not an impediment to it and therefore this isn't really an option for the masses. Likewise, if you aren't employed by a large enterprise with a training budget that can hire all these training firms that want to do onsite classes for dozens of employees, you are left with reading lots of books on your free time, a few OWASP TV videos and google. One of the more interesting experiences that I had was that a professor at RPI uses one of the books I am the lead author for in his class. If I wanted to be a guest lecturer, this would be no problem, yet if I wanted to get credit for the course, I would actually have to sit through the entire thing which would be as interesting as watching paint dry. I have on several occasions made the offer that I will pay for all fees for a given course upfront and I want to take the final exam. If I did not score 100% you could fail me and still no university would take my offer. We got to find a balance between one-day train the world in corporate America and months upon months of mind-numbling indoctrination that universities push if we are to truly conquer the challenge of secure coding. This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
We are NOT craftsmen by any stretch of the imagination. If you have ever worked in a large enterprise, the ability to change roles and be fluid in one's career is rewarding yet has unintended consequences. If I went to my boss tomorrow and said that I no longer want to be an architect and instead want some experience managing a project, what training do you think I will be afforded before I actually get to project manage a large initiative? For that matter I am an architect, what training do you think I have received? Much of my daily job is art where all of about ten minutes requires craftsmanship. We need to stop being delusional and thinking that us IT folks are bound by ANY principle. If you find a single principle taught in a university setting that hasn't been waived in a corporate environment at one time or another, I sure would love to know what that is. We are artists. End of discussion... From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Jim Manico [...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I again come back to James McGovern's suggestion, which is treating coding as an art rather than a science Keep your Picasso out of my coding shop, world of discrete mathematics and predicate logic! I don't care how cheap his hourly is. :) I'd prefer to think of coders as craftsman; we certainly are not artists, scientists or engineers. ;) And craftsman are bound by the laws of mathematics and the sponsors who pay us, artists have no bounds. - Jim ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the KR style of indentation for example continue to use it as their default style even when they have learned new languages. Having just done a quick survey of the programming books on my shelves I don't find security or secure coding covered much if at all. I doubt that is because some business guy came down to the author and told him to excise security from the book. If basic security and secure coding practices are not integrated into programming from the beginning it is an add on, and hence not a natural component of the (art|science) of programming and much easier to skip. I have started teaching my 12 year old son C programming at home. We started off with a basic Hello World, then added his name as a variable, then a loop to print different names, then added the ability to take the name as input from the command line. At each step we added in a bit of exception handling, and once we got to user input data we added basic data and input validation. Each new version of the program had a test plan and had to handle exceptions. This is a very simple example and is not something production ready, but every step showed him how to program without leaving security out. In my opinion, any educational program that deals with computers or networks should have security and secure coding woven into it. The amount and type of secure coding depends on the subject. A management class that calculates costs and ROI of a project should have metrics for the cost of security or robustness failures. Networking classes should have secure configuration integrated. Software engineering/design would need to have appropriate modules on encryption, identity management, etc, etc. In the end I think the question should be: Is there a place where does security and secure coding NOT belong in a curriculum? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Not so much anti-social as untrusting, supicious, and paranoid. Actually, being highly social could provide an excellent cover to fool the bad guys into thinking one is a lot less security-savvy than one actually is. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) [james.mcgov...@thehartford.com] Sent: Tuesday, August 25, 2009 2:09 PM To: Secure Code Mailing List Subject: [SC-L] Where Does Secure Coding Belong In the Curriculum? There are several perspectives missing from the dialog: - Before we even talk about secure coding, we need a course on secure thinking. Most folks are indoctrinated into thinking positive which blinds them from seeing vulnerabilities right in front of them. A prereq on being antisocial might be a good start ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
James McGovern wrote... - Taking this one step further, how can we convince professors who don't teach secure coding to not accept insecure code from their students. Professors seed the students thinking by accepting anything that barely works at the last minute. Universities need to be consistent amongst their own teaching/thinking. Well, actually, I think that what Matt Bishop wrote in his response to Benjamin Tomhave is the key: But in introductory classes, I tend to focus on what I am calling robust above; when I teach software security, I focus on both, as I consider robustness part of security. By the way, you can do this very effectively in a beginning programming class. When I taught Python, as soon as the students got to basic structures like control loops (for which they had to do simple reading), I showed them how to catch exceptions so that they could handle input errors. When they did functions, we went into exceptions in more detail. They were told that if they didn't handle exceptions in their assignments, they would lose points -- and the graders gave inputs that would force exceptions to check that they did. Most people got it quickly. That is, Matt suggested a direct reward / punishment. Specifically, if the students don't account for bad input via exceptions or some other suitable mechanism, the simply loose points. Matt's right. If it boils down to grades, most students will get it, and fast. And whether we call this secure-coding, robustness, or simply correctness, it's a start. I think that too many people when they hear that we need to start teaching security at every level of CS are thinking of more complicated things like encryption, authentication protocols, Bell-LaPadula, etc. but I don't think that was where the thrust of this thread was leading. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
The playing in traffic example is one extreme end of the spectrum. A good analogy for the other end might be physics where you just teach Newtonian theory it as if it were 100% accurate and then, if the student decides to take a relativistic physics class, you teach them on day 1 that everything they know isn't right. It seems teaching secure programming must lie somewhere between these two ends of the spectrum. Perhaps a more useful exercise (rather than debating where in the gradient through metaphor) is to try to enumerate the variables that play into what draws a topic toward one end or the other. Such variables might include: * stickiness of the bias/habits acquired as you learn more * impetus to learn more * ability/access to learn more Just a thought. p. On 8/25/09, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with grim reality, we give examples that illustrate exactly WHY they needed to know those things. But that doesn't mean we wait until the kids are 11 or 12 to tell them shouldn't play in traffic. There has to be some way to start introducing the idea even to the rawest of raw beginning programming students that good is much more desirable than expedient, and then to introduce the various properties that collectively constitute good - including security. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other -ilities (goodness properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond just get the bloody thing to work are also intermediate-to-advanced concepts. In other words, teach the goodness properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Seriously? We're going to teach kids in 5th grade who are just learning what an algorithm is how to protect against malicious inputs, how to make their application fast, handle all exception conditions, etc? ... ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- ~ ~ ~ ~~~ ~~ ~ Pravir Chandra chandraatlistdotorg PGP:CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4 ~ ~~ ~~~ ~ ~ ~ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Matt Bishop wrote: Instead, what you can do is frame the issues as good programming. When teaching for loops, teach the idea of a limit (upper and lower bounds). Then when you get to arrays, it's natural to discuss bounds checking in the context of iteration (I don't phrase it that way, of course). When you grade, you check for it. Presto! Now you have taught what is commonly considered a security requirement without ever mentioning the word security. I would agree with this, as I think it again syncs with what James McGovern talked about earlier, too. A graduated approach to secure coding (for whatever definition we might insert) is the only logical progression. However, as you conceded, we have to be very careful just how much we introduce and when. I remember the disconnect in the mid-90s when the CompSci curriculum switched to OO. Some of us got caught in the blender where our first CS class was non-OO and our 2nd class was suddenly all OO and we didn't know what the heck was going on. It seems we're perhaps still in this transitional state to a large part. By the way, you can do this very effectively in a beginning programming class. When I taught Python, as soon as the students got to basic structures like control loops (for which they had to do simple reading), I showed them how to catch exceptions so that they could handle input errors. When they did functions, we went into exceptions in more detail. They were told that if they didn't handle exceptions in their assignments, they would lose points -- and the graders gave inputs that would force exceptions to check that they did. Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 Most people got it quickly. Getting it and applying it IRL are of course two completely different things. I still find it somewhat absurd that we even need to have this discussion still after how many decades of curriculum development? :) -ben -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Reading is to the mind what exercise is to the body. Sir Richard Steele ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Goertzel, Karen [USA] wrote: We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with grim reality, we give examples that illustrate exactly WHY they needed to know those things. Actually, I'm not teaching my 1 yo toddler much of anything about traffic right now. I'm more playing guardian when she runs around the house and making sure she doesn't get into situations for which she would be completely and totally unprepared (and in serious danger). She lacks the language skills to even marginally understand basic concepts like street let alone don't play in the street. I think this rather proves my point that secure coding is not itself a fundamental concept, but rather an intermediate-to-advanced concept. Matt Bishop's comments are great, but they've also been applied in a context of higher ed., and recognize the limits of student understanding at different phases of development. -ben But that doesn't mean we wait until the kids are 11 or 12 to tell them shouldn't play in traffic. There has to be some way to start introducing the idea even to the rawest of raw beginning programming students that good is much more desirable than expedient, and then to introduce the various properties that collectively constitute good - including security. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other -ilities (goodness properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond just get the bloody thing to work are also intermediate-to-advanced concepts. In other words, teach the goodness properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Seriously? We're going to teach kids in 5th grade who are just learning what an algorithm is how to protect against malicious inputs, how to make their application fast, handle all exception conditions, etc? ... -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] That which has always been accepted by everyone, everywhere, is almost certain to be false. Paul Valery ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Ben, Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 Brings back memories -- the first day on the job as a summer intern I had to track down a bug in a UNIX device driver. Turned out the optimizer was clobbering a jump -- the driver worked fine unoptimized. I quit believing tools like compilers were flaw-free after that! Most people got it quickly. Getting it and applying it IRL are of course two completely different things. I still find it somewhat absurd that we even need to have this discussion still after how many decades of curriculum development? :) Oh, I don't -- I think it's all too understandable. A story first, to provide some background. One of my grad students (a security type, of course :-)) was my TA for the undergraduate operating systems class. We had the students form teams, and each team modified a kernel. The TA then graded interactively, asking the students about what they did and why, as he went through their code. My TA was appalled at the poor quality of the code of most teams -- it worked, but was not robust and was sloppy. So, he told each group that if they turned in code that poor the next time, he'd deduct 20% on general principles. So what do students do in that case? Right -- complain to the professor (me). I said something to the effect that I strongly disagreed with the TA, and felt he should have handled the situation differently; but since he said he'd only take off 20%, instead of the 40% I would have taken off, I'd support his decision. The students got the message. On the next assignment (and for the res of the class), the code was much better. This suggests to me the problem is not so much a failure to teach robustness; in fact, I suspect most intro to programming teachers do mention it (although to different degrees of thoroughness and probably not using that name). The *real* problem is that we don't keep reinforcing it throughout the student's career. And that's an artifact of a lack of resources for the type of grading. Give classes the support to do this, and I suspect you'd see people get in the habit of writing better code. Better, use students and people from industry who know this stuff to staff a clinic analogous to a writing clinic for English and law schools -- that would reinforce it not just for the students, but for the clinic staff as well. Anyone who's interested in this idea can read about a small experiment I did in a paper at http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/ The results of having students use such a clinic, on a very small scale, led to some pretty good improvements in their code. The problem, of course, is that supporting such a clinic requires a lot of people time, and getting people to donate their time, or the resources (read: cash) to pay for it, isn't easy. Matt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Matt Bishop wrote: And that's an artifact of a lack of resources for the type of grading. Give classes the support to do this, and I suspect you'd see people get in the habit of writing better code. Better, use students and people from industry who know this stuff to staff a clinic analogous to a writing clinic for English and law schools -- that would reinforce it not just for the students, but for the clinic staff as well. This sounds like an excellent extension for OWASP. :) -ben -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] I hope if dogs ever take over the world and they choose a king, they don't just go by size, because I bet there are some Chihuahuas with some good ideas. Deep Thoughts by Jack Handy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
So many mistakes have been made in generations before mine that we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure. This is the comment that agrees with my own belief. When teaching how to program secure coding should be seen as inherent in this and not as some sort of optional add that is only required if the code is supposed to secure. Many of the techniques are just making the code more robust and this covers a considerable amount of the problems with code today. I see no reason that this shouldn't be taught as part of any programming course. Does this cover all secure coding, no of course not, but unless the foundations of secure implementation is inherent then more advance issues ar the least of the communities worries. Consider the environment before printing this mail. Thales e-Security Limited is incorporated in England and Wales with company registration number 2518805. Its registered office is located at 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15 2NX. The information contained in this e-mail is confidential. It may also be privileged. It is only intended for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee or the intended addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this e-mail. Such unauthorised use may be unlawful. If you have received this e-mail in error please delete it (and all copies) from your system, please also inform us immediately on +44 (0)1844 201800 or email postmas...@thales-esecurity.com. Commercial matters detailed or referred to in this e-mail are subject to a written contract signed for and on behalf of Thales e-Security Limited. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Brad Andrews writes... I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good school (Illinois), so it wasn't just modern teaching methods that were too blame. I am not sure that the proofs were all that useful for understanding some things either, though the logic they taught has value that I missed a bit of since I did hit some modern techniques. This may be heading slightly OT, but I don't think your experience is really that unusual. My BS was a double major in math and physics and my MS was in CS. We used proofs in most of my math classes, many of my physics classes, and several of my CS classes. Besides the frequency, what varied in each of these was the level of rigor expected. The proofs in math were extremely rigorous, the ones in physics less so, and the ones in most of my CS classes would have been classified as only so much hand waving if they would have been done in my math classes. But an important thing to note in all of these courses was, with the exception of very few advanced (senior grad level) math classes such as advanced calculus and abstract algebra and number theory, the use of 'proofs' wasn't the end, but only a means to the end. But still 'proofs' were utilized throughout much of this very diverse coursework to add to the rigor of the logic and presumably to reinforce understanding and learning. In the same way, I think that 'security' (or 'robustness' or 'correctness' or whatever you wish to call it) needs to be CONSISTENTLY blended into the college and possibly even high school CS curriculum so some element of it is touched upon in each of the classes and as one progresses it is discussed more and more. So just as 'proofs' are sprinkled into math, physics, CS, etc. we need to sprinkle in basic security / robustness concepts such as: + An understanding of what input may be 'trusted' and what inputs cannot be trusted leading to the concept of trust boundaries. + The concept of correctness extends merely past handling 'correct' input and needs to somehow gracefully handle incorrect input as well. + Understanding the concept of risk, eventually leading to an understanding of risk analysis in upper level CS courses + Having an adversarial testing mindset, always thinking how can I 'break' this program or system?. (BTW, sad to say, this has probably been the hardest thing to teach my colleagues. Some of them seem to get it, and some of them never do.) There are probably others--this is by no means a complete list--but we need to emphasize that to those instructing CS that this is not going to take up a significant portion of their coursework nor require a significant amount of time or effort on there part. Rather it needs to be folded into the mix as appropriate. I think back to my days in elementary mathematics. I recall learning at a very early age, when learning division, that you can't divide by 0. The explanation given by the teach wasn't in depth, it was more like you are just not permitted to do that, or occasionally it's undefined without telling us WHY it's undefined. In a similar manner, we can teach don't blindly accept unchecked input, etc. And then if that is reinforced in the grading process I do think it will come through. Surely if we could just do that much, it would be a good start. But my observation, based on my CS colleagues that I've taught with and before that, the CS courses that I've taken at the graduate level, is that other than the obligatory half hour mention of security in my operating systems course, I can barely recall it ever even coming up. And I also seldom recall that instructors would every toss your programs truly malformed input either. By comparison, when I had an opportunity to teach a masters level CS course on distributed systems (the Tannenbaum book), I tossed in matters of security throughout, not just in the chapters about security. Of course, I don't think until we got to the chapters about security that the students realized that's what I was teaching them, but that's OK too. The subliminal methods sometimes work as well. -kevin -- Kevin W. Wall 614.215.4788Application Security Team / Qwest IT The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents.-- Nathaniel Borenstein, co-creator of MIME ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free,
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is to hook the students with the exploits, and then sprinkle in a now here's how to do it _right_ discussion while they're still paying attention. ;-) And FWIW, I've found OWASP's WebGoat to be phenomenally effective at doing just that. There are other similar tools out there as well, but the point is to give the class a safe sandbox to play in. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Your example is spurious as a refutation of what I was trying to say (as I suspect you already know). Obviously you're not going to try to teach a not-yet-verbal infant a self-preservation concept that requires even the most rudimentary reasoning. That said, I'll be interested to hear from you in, say, a year and a half from now. And I still maintain that the intellectual maturity of a two-and-a-half-year-old hardly constitutes intermediate-to-advanced EXCEPT possibly when compared with that of a one-year-old. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Wednesday, August 26, 2009 12:27 AM To: Goertzel, Karen [USA] Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] wrote: We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with grim reality, we give examples that illustrate exactly WHY they needed to know those things. Actually, I'm not teaching my 1 yo toddler much of anything about traffic right now. I'm more playing guardian when she runs around the house and making sure she doesn't get into situations for which she... ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I too remember learning proofs in Jr. High. And I also believe the main objective was to teach 12 and 13 year olds that it is possible to apply a repeatable, disciplined process to how they approach problem solving. Certainly not a worthless lesson, even if the mathematics involved are never used again. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Brad Andrews [andr...@rbacomm.com] Sent: Tuesday, August 25, 2009 4:23 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good school (Illinois), so it wasn't just modern teaching methods that were too blame. I am not sure that the proofs were all that useful for understanding some things either, though the logic they taught has value that I missed a bit of since I did hit some modern techniques. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I see your point. On the other hand, there are times I worry that teach the hacker mentality approach to secure development training smacks a bit too much teaching future policemen the delights of robbery, rape, torture, and murder in order to prepare the to defend the public against robbers, rapists, torturers, and murders. Definitely teach - with examples - what it is about software that makes it so easy to exploit and violate. But stop short of handing the students detailed blueprints and instructions, reinforced by lots of hands-on lab time. I'm just untrusting enough of human nature to worry that once some of them discover how much more fun it is to hack than to defend against hacking, what you'll end up with is not the next Bob Seacord but the next Kevin Mitnick. At the very least, make psychological exams a prerequisite of acceptance into your class, so you can weed out the likely psychopaths and sociopaths. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Olin Sibert [u3...@siliconkeep.com] Sent: Tuesday, August 25, 2009 8:16 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I'm mostly a lurker here, and I'm a practitioner rather than a professional educator, but there's a viewpoint I haven't seem much of that I want to support, namely: Exploits are FUN. Teach from that angle, and I think you'll get more traction ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Your Picasso - or, perhaps, Frank Lloyd Wright would be a better analogy - definitely has a role in software development. I want his creativity up front in the specification and high-level design of the building (the software system). But when it comes to detailed design and testing, I'm going to call in the engineers, and when it comes to coding, no-one does it better than skilled construction workers who have mastered the use of hammers, saws, adzes, etc. So yes - the coders are craftsmen. But the problem is that in software development, the roles are seldom so clearcut, especially not in Agile development. So one does find far too many craftsmen attempting the engineers' and architects' jobs without anything like the necessary training and certification of their competence to perform those functions. Or maybe, if we accept the software development as an art analogy, our problem is we have way too many architects trying to code successfully. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Jim Manico [...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I again come back to James McGovern's suggestion, which is treating coding as an art rather than a science Keep your Picasso out of my coding shop, world of discrete mathematics and predicate logic! I don't care how cheap his hourly is. :) I'd prefer to think of coders as craftsman; we certainly are not artists, scientists or engineers. ;) And craftsman are bound by the laws of mathematics and the sponsors who pay us, artists have no bounds. - Jim ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that correctness is also an advanced concept, because it gets in the way of coding. Security is about exploiting assumptions (often hidden) that we make when we write and deploy software. I see no reason why teaching to think about assumptions should be deferred. You teach math students how to do proofs right from the beginning for essentially the same reasons :-) Perhaps this means that the language itself needs to require strong type checking that enforce appropriate secure coding behavior? Unfortunately, security assumptions are rarely written down so I don't see how they can be enforced at the language or compiler level. Best, Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other -ilities (goodness properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond just get the bloody thing to work are also intermediate-to-advanced concepts. In other words, teach the goodness properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Great strategy! Our hacker friends will love it. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote: You don't teach proofs - not really. The elementary and junior high curriculum generally does not contain anything about proofs I was talking about college students because that's when I was properly taught programming. That may no longer be true. But in maths, I *was* taught how to do proper proofs in high school (from 7th grade on, when we had Geometry). I may have been unusually lucky. I again come back to James McGovern's suggestion, which is treating coding as an art rather than a science. It increasingly makes sense given the failures up to this point. The problem then is that every Joe, Dick, and Harry out there who can get hello world to compile think they're artists. Seriously, unlike art, programming is usually not a vehicle for one's creative urges, but a tool to get a job done, as you yourself say. (I hesitate to use the word science as an antonym to art here, perhaps craft would be better.) Unfortunately, security assumptions are rarely written down so I don't see how they can be enforced at the language or compiler level. Here you make a patently bad assumption yourself. It should be possible for the compiler to automatically protect against overflows, as an example. Sure, for certain languages and certain classes of well-understood problems, compiler or language support can be engineered. But my point stands: security assumptions are rarely written down. This is because they are taken to be self-evident and not in need of explicit formulation. Also, they depend on the domain. If I express a hospital drug disbursal system in any of the common general-purpose programming languages, the assumption that one cannot be a doctor and a nurse at the same time is usually implicit. I challenge you to develop Java or C ++ support that will capture any flaw in the implementation of this particular RBAC *without* having to make that assumption explicit. Safe input validation and output encoding could also be forced at a given level. Really? I'd be interested in hearing about such techniques that cannot be short-cut (which, as you state, is one big factor for security defects in software). Best, Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Tue, Aug 25, 2009 at 4:09 AM, Stephan Neuhausstephan.neuh...@disi.unitn.it wrote: On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that correctness is also an advanced concept, because it gets in the way of coding. Security is about exploiting assumptions (often hidden) that we make when we write and deploy software. I see no reason why teaching to think about assumptions should be deferred. You teach math students how to do proofs right from the beginning for essentially the same reasons :-) Sarcasmreally? First graders are learning to do math proofs instead of basic addition? I'm quite surprised by this./Sarcasm We're missing I think the point I raised earlier. Not everyone learns to program in high school or college. And, even learning the basics of what an algorithm are is tricky, much less learning defensive programming, etc. So, yes, it is an advanced concept for the majority of beginning programmers. -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 18:07, Andy Steingruebl wrote: Sarcasmreally? First graders are learning to do math proofs instead of basic addition? I'm quite surprised by this./Sarcasm Yeah, sorry. When I wrote about students I meant college students. I don't know, is that a difference between British English (pupils) and American English (students)? Anyway, my bad. We're missing I think the point I raised earlier. Not everyone learns to program in high school or college. And, even learning the basics of what an algorithm are is tricky, much less learning defensive programming, etc. But the topic of the thread is Where Does Secure Coding Belong In the Curriculum? and I maintain that when someone is intellectually mature enough so that you can teach them how to program and at the same time really know what they're doing, you can teach them about correctness and security too. Best, Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Ben, First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that bridge computer architecture, code structure, and various other problems. I agree and I disagree. If I walked into an ECS 10 (Intro to Programming class) and began We use the waterfall model to provide a moderate level of assurance ... about 75% of the students would be out the door. That's one problem with teaching security per se: you need to describe *what* your security requirements are, and when you're struggling to learn how to write a for loop, being asked to implement security requirements as such is intimidating. Instead, what you can do is frame the issues as good programming. When teaching for loops, teach the idea of a limit (upper and lower bounds). Then when you get to arrays, it's natural to discuss bounds checking in the context of iteration (I don't phrase it that way, of course). When you grade, you check for it. Presto! Now you have taught what is commonly considered a security requirement without ever mentioning the word security. I find the distinction between robust and secure is useful, although often the two are interchangeable. By robust, I mean the more nebulous requirement that the program not crash (although it may terminate gracefully :-)) and that it handle unexpected inputs reasonably, and so forth. By secure, I mean meeting a specific set of requirements that describe what security means; for example, unexpected inputs may require specific actions (in which case handling them is both robust and secure :-)). Note: I'm not sure the distinction here is too meaningful, so please don't ask me to define a boundary. But in introductory classes, I tend to focus on what I am calling robust above; when I teach software security, I focus on both, as I consider robustness part of security. By the way, you can do this very effectively in a beginning programming class. When I taught Python, as soon as the students got to basic structures like control loops (for which they had to do simple reading), I showed them how to catch exceptions so that they could handle input errors. When they did functions, we went into exceptions in more detail. They were told that if they didn't handle exceptions in their assignments, they would lose points -- and the graders gave inputs that would force exceptions to check that they did. Most people got it quickly. Matt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
The just get the bloody thing to work is usually an attitude foisted on developers by the business side. I work in an internal application security function for a large enterprise and i'm yet to meet a developer who wasn't concerned about security. Developer education is very important and we have a lot of it available for out developers, some of it even compulsory. However, unless there is the will of the business behind it, developer concerns are oft pushed aside in the interest of expediency. I find the business side usually does have a genuine interest in security and quality, however they are concepts that remain largely unquantifiable, and in the case of security you only need to mess up once to end up with a nasty situation. It's can be a tough sell getting time to focus on these things, given they can be so vague. In the case of my organisation, business side support comes from both internal advocacy of security practises by our function and externally imposed legal requirements. Mostly the latter ;) Filtering inputs is NOT hard, and most developers are getting better at things like that. However, the problems of application security go beyond the developer level, and it's important not to lose sight of that fact. If there were an easy solution everything would already be perfectly secure. Pete On Wed, Aug 26, 2009 at 12:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other -ilities (goodness properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond just get the bloody thing to work are also intermediate-to-advanced concepts. In other words, teach the goodness properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Great strategy! Our hacker friends will love it. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with grim reality, we give examples that illustrate exactly WHY they needed to know those things. But that doesn't mean we wait until the kids are 11 or 12 to tell them shouldn't play in traffic. There has to be some way to start introducing the idea even to the rawest of raw beginning programming students that good is much more desirable than expedient, and then to introduce the various properties that collectively constitute good - including security. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other -ilities (goodness properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond just get the bloody thing to work are also intermediate-to-advanced concepts. In other words, teach the goodness properties to developers only after they've inculcated all the bad habits they possibly can, and then, when they are out in the marketplace and never again incentivised to actually unlearn those bad habits, TRY desperately to change their minds using nothing but F.U.D. and various other psychological means of dubious effectiveness. Seriously? We're going to teach kids in 5th grade who are just learning what an algorithm is how to protect against malicious inputs, how to make their application fast, handle all exception conditions, etc? ... ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I was thinking of a beginner-level programming class. I have and it can be a challenge, especially if they don't have the programming mindset. Even if they do, you don't have the time for the things you spoke about. You are focusing on basic coding constructs first. :) -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Stephan Neuhaus stephan.neuh...@disi.unitn.it: On Aug 21, 2009, at 17:51, Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? I have. I taught a security class to undergrads. It was easier than I thought, at least the basics were. I got them excited by a let's try to break things attitude. They wrote buffer overflow exploits (using freely available shellcode), they cracked linear congruential PRNGs, they subverted insecure protocols. As far as I can tell, they had a good time, since I had the highest retention rate for optional courses in that year: 40 signed up for the course and 39 took the final exam. Once they understood that the right mind-set is not oh come on, what can possibly go wrong? but okay, let's see what *can* go wrong, they were on their way. Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Are there any industry metrics that indicate what percentage of full-time software developers actually learned coding in a university setting? I actually learned in high-school, focused on business administration in college (easiest major on the planet) and learned/matured on the job. Likewise, I also am surrounded by many folks who have been in IT for say 30 or so years that learned coding from those infomercial type schools you see on TV late at night. So, the question of whether trade schools should teach secure coding should be asked as well. This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Andy Steingruebl wrote: I think our real question isn't just how to reach the professional programmer trained via formal training programs, but also how to reach the amateur programmer trained via books, trial+error, etc. One area here is making sure examples are done correctly. The database examples that connected to an MS SQL server with userid=SA;password= used to drive me crazy. The sample code does it that way so I better do it that way. It makes for more complicated sample code but it may be the only way to reach these self taught folks. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. Getting into exploits at this level is probably more than many can handle but it's not a bad time to teach proper bounds checking and making sure any math operations don't result in overflows. Part of the lesson might even be to create loops with math that cause these errors deliberately if students are no longer taught how numbers are represented in memory and what happens when you exceed the limits directly. Might not be a bad idea though to step back on basic courses and rather than dive in to programing concepts right away start with some demonstrations of what happens with bad code and follow up with refreshers periodically through the course. Nothing in great depth unless the students can handle it but showing them what happens after coding errors might raise awareness and start them thinking what happens when this breaks rather than strictly focusing on how do it get it to work. I cringe at the thought of what I used to do in code based on the habits that started in high school and college. I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the Hello World! or Mortgage Calculator program level seems quite difficult. This bears some thinking through, but the security risks seem to be: - Make sure the input amount is in dollars. - Make sure the term is numeric and within reasonable ranges. - Make sure that interest rate is in the form of XX.XX. That's a great start at getting them to think about how they have to treat input and validate it. I don't recall any of my instructors ever focusing on making sure the input to anything is what was expected. I'm sure some did but I don't recall it. Even if the students don't always get it right at this point, get them started thinking about it. Where do you inject security there? Sure, you can note the importance of checking the data, but just because someone checks the input here doesn't mean they will have a clue on checking the input on a web form for an SQL injection attempt. You might not touch on this until you get to those type applications. If they were taught to question input all along though, by time you get to something like this the habit might be forming. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. A much-too-late entry for the bumper sticker contest we had here a few years back: Works as you wish, under all condish. (Okay, okay, so maybe that kind of abbreviating is a bit out of style... by 70 years or so) -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Karen Goertzel wrote... I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. Except, unfortunately, as an industry / profession, we can't even get the far-simpler (IMO) _functional correctness_ right let alone (so-called) non-functional issues such as security, safety, fault tolerance, etc. (Mathematical rigor and proof-of-correctness aside, but in many [most?] cases that's not practical and even if it were, most programmers' brains turn to mathematical mush whenever they see any kind of correctness proof. Meaning that it ain't going to happen if it requires thinking. ;-) In some regard, I think this holds things back. If we don't do a good job testing that the software does all that it's supposed to do under *ideal* conditions, how are we ever to expect developers and testers to test to make sure that the software doesn't do additional things that it's NOT supposed to do under less than ideal conditions. There's a reason why Ross Anderson and Roger Needham talked about Programming Satan's Computer (see http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf). [Yes, I 'm aware that paper was about the correctness of distributed cryptographic protocols, but I think both Anderson and Needham would agree that the term Programming Satan's Computer applies more generally than just to that narrow aspect of security.] Not that I'm advocating of giving up, mind you. If the battle seems hopeless, perhaps we would see more progress if we were to address secure programming issues simply as a related aspect of program correctness. Why? Because the development community seems to be more willing to address those things. (Obviously, part of that is that many programming flaws are rather tangible and something that casual users can experience. Yeah! That's the ticket. Let's teach the general populace how to hack into systems! Pass out free You've been pwnd! T-shirts with every successful pwnage. Now *THAT* would be devious. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Here's an extract from the Information Assurance Technology Analysis Center (part of DTIC) Software Security Assurance: A State of the Art Report (http://iac.dtic.mil/iatac/download/security.pdf): Courses on secure software development, secure programming, etc., typically begin by introducing common attacks against software-intensive information systems and the vulnerabilities targeted by those attacks, then progress to modeling, design, coding, and testing practices that software developers can adopt to reduce the likelihood that exploitable vulnerabilities will appear in the software they produce. The following is a representative sampling of such courses: - Arizona State University: Software Security - Ben-Gurion University (Beer-Sheva, Israel): Security of Software Systems - Carnegie Mellon University (CMU) and University of Ontario (Canada): Secure Software Systems - George Mason University: Secure Software Design and Programming - George Washington University: Security and Programming Languages - Catholic University of Leuven (Belgium): Development of Secure Software - New Mexico Tech: Secure Software Construction - North Dakota State University: Engineering Secure Software - Northeastern University: Engineering Secure Software Systems - Northern Kentucky University, Rochester Institute of Technology, and University of Denver: Secure Software Engineering - Polytechnic University: Application Security - Purdue University: Secure Programming - Queen’s University (Kingston, ON, Canada): Software Reliability and Security - Santa Clara University: Secure Coding in C and C++ - University of California at Berkeley, Walden University (online): Secure Software Development - University of California at Santa Cruz: Software Security Testing - University of Canterbury (New Zealand): Secure Software - University of Nice Sophia-Antipolis (Nice, France): Formal Methods and Secure Software - University of Oxford (UK): Design for Security - University of South Carolina: Building Secure Software. As noted earlier, other schools offer lectures on secure coding and other software security relevant topics within their larger software engineering or computer security course offerings. At least two universities - the University of Texas at San Antonio and University of Dublin (Ireland) - have established reading groups focusing on software security. As part of its Trustworthy Computing initiative, Microsoft Research has established its Trustworthy Computing Curriculum program [309] for promoting university development of software security curricula. Interested institutions submit proposals to Microsoft, and those that are selected are provided seed funding for course development. Another recent trend is post-graduate degree programs with specialties or concentrations in secure software engineering (or security engineering for software-intensive systems). Some of these are standard degree programs, while others are specifically designed for the continuing education of working professionals. The following are typical examples: - James Madison University: Master of Science in Computer Science with a Concentration in Secure Software Engineering - Northern Kentucky University: Graduate Certificate in Secure Software Engineering - Stanford University: Online Computer Security Certificate in Designing Secure Software From the Ground Up - University of Colorado at Colorado Springs: Graduate Certificate in Secure Software Systems - Walden University (online): Master of Science in Software Engineering with a Specialization in Secure Computing - University of Central England at Birmingham: Master of Science in Software Development and Security - Chalmers University (Gothenburg, Sweden): Master of Science in Secure and Dependable Computer Systems. In another interesting trend (to date, exclusively in non-US schools), entire academic departments - and in one case a whole graduate school—are being devoted to teaching and research in software dependability, including security, e.g.: - University of Oldenburg (Germany) TrustSoft Graduate School of Trustworthy Software Systems - Fraunhofer Institute for Experimental Software Engineering (IESE) (Kaiserslautern, Germany): Department of Security and Safety - Bond University (Queensland, Australia): Centre for Software Assurance. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw [...@cigital.com] Sent: Thursday, August 20, 2009 2:55 PM To: Neil Matatall; Secure Code Mailing List Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software Security http://swsec.com. Remember, this list was created in 2006, and lots of other universities have jumped on the bandwagon since
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Everyone, Thank you for all of the input. Really. This information has been extremely helpful! Neil Goertzel, Karen [USA] wrote: Here's an extract from the Information Assurance Technology Analysis Center (part of DTIC) Software Security Assurance: A State of the Art Report (http://iac.dtic.mil/iatac/download/security.pdf): Courses on secure software development, secure programming, etc., typically begin by introducing common attacks against software-intensive information systems and the vulnerabilities targeted by those attacks, then progress to modeling, design, coding, and testing practices that software developers can adopt to reduce the likelihood that exploitable vulnerabilities will appear in the software they produce. The following is a representative sampling of such courses: - Arizona State University: Software Security - Ben-Gurion University (Beer-Sheva, Israel): Security of Software Systems - Carnegie Mellon University (CMU) and University of Ontario (Canada): Secure Software Systems - George Mason University: Secure Software Design and Programming - George Washington University: Security and Programming Languages - Catholic University of Leuven (Belgium): Development of Secure Software - New Mexico Tech: Secure Software Construction - North Dakota State University: Engineering Secure Software - Northeastern University: Engineering Secure Software Systems - Northern Kentucky University, Rochester Institute of Technology, and University of Denver: Secure Software Engineering - Polytechnic University: Application Security - Purdue University: Secure Programming - Queen’s University (Kingston, ON, Canada): Software Reliability and Security - Santa Clara University: Secure Coding in C and C++ - University of California at Berkeley, Walden University (online): Secure Software Development - University of California at Santa Cruz: Software Security Testing - University of Canterbury (New Zealand): Secure Software - University of Nice Sophia-Antipolis (Nice, France): Formal Methods and Secure Software - University of Oxford (UK): Design for Security - University of South Carolina: Building Secure Software. As noted earlier, other schools offer lectures on secure coding and other software security relevant topics within their larger software engineering or computer security course offerings. At least two universities - the University of Texas at San Antonio and University of Dublin (Ireland) - have established reading groups focusing on software security. As part of its Trustworthy Computing initiative, Microsoft Research has established its Trustworthy Computing Curriculum program [309] for promoting university development of software security curricula. Interested institutions submit proposals to Microsoft, and those that are selected are provided seed funding for course development. Another recent trend is post-graduate degree programs with specialties or concentrations in secure software engineering (or security engineering for software-intensive systems). Some of these are standard degree programs, while others are specifically designed for the continuing education of working professionals. The following are typical examples: - James Madison University: Master of Science in Computer Science with a Concentration in Secure Software Engineering - Northern Kentucky University: Graduate Certificate in Secure Software Engineering - Stanford University: Online Computer Security Certificate in Designing Secure Software From the Ground Up - University of Colorado at Colorado Springs: Graduate Certificate in Secure Software Systems - Walden University (online): Master of Science in Software Engineering with a Specialization in Secure Computing - University of Central England at Birmingham: Master of Science in Software Development and Security - Chalmers University (Gothenburg, Sweden): Master of Science in Secure and Dependable Computer Systems. In another interesting trend (to date, exclusively in non-US schools), entire academic departments - and in one case a whole graduate school—are being devoted to teaching and research in software dependability, including security, e.g.: - University of Oldenburg (Germany) TrustSoft Graduate School of Trustworthy Software Systems - Fraunhofer Institute for Experimental Software Engineering (IESE) (Kaiserslautern, Germany): Department of Security and Safety - Bond University (Queensland, Australia): Centre for Software Assurance. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw [...@cigital.com] Sent: Thursday, August 20, 2009 2:55 PM To: Neil Matatall; Secure Code Mailing List Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime programing is taught. From my experience in my son's boy scout troop, I'm not sure I'd call it out as security and confuse middle school/junior high school students but I'd teach them basics like input validation and bounds checking as basic good programing. The security aspects can wait until later when they can better handle several concepts at once. After that is just needs to be part of the course and called out for what it is. There is room for stand alone security focused training and courses but it needs to be drilled in all along the way. I recall my own computer science instructors telling us *not* to spend time on bells and whistles and concentrate on the concept the lesson was covering. If the lesson was on pointers, adding things like error checking and user friendly features didn't count for anything. I can understand why that was said but it sends the wrong message and begins the development of bad habits. That was 20 to 30 years ago and most computer users' idea of security was locking their car doors but it did set us up for bad habits. Basics need to be drilled in early and always count for something even if the lesson is while loops. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I think we need to start indoctrinating kids in the womb. Start selling Baby Schneier CDs alongside Baby Mozart. :) Seriously, though, cyberspace is such an integral part of modern life, parents need to inculcate online security into their toddlers the same way they teach them to look both ways before crossing the street, and not to talk to or get into the car with strangers. In essence, we need to teach kids the virtual equivalents of these safe behaviours when they go online - which some of them are doing as early as age 4! If they can be brainwashed that early, they will come to have higher expectations of what SHOULD be present with regard to security properties in software-based systems. Then the notion won't seem alien to them. What will seem alien TO US is that they won't understand the struggles we've had to get people to start adding security. The idea of security having ever NOT been there will be bizarre to them. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Mike Lyman [mlyman-ci...@comcast.net] Sent: Friday, August 21, 2009 8:17 AM To: Secure Coding Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime programming is taught ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Does it help at all to consider how and where most people actually learn to program/develop? I don't have percentages handy of how many people with a job title or informal role as programmer or developer actually took any formal education in this. If we're just trying to reach the group of developers that went through formal training then we've seen some pretty good answers here in this thread already. If we want to cover others though, we need to look elsewhere. Let's look at another few fields where safety is important and yet the work is often done by both professionals and amateurs - Plumbing and/or Electrical Work. My own view is that much software development is actually a lot closer to the work of the amateur electrician than the professional electrician. That is, unlike fields like engineer, architect, lawyer, accountant, we don't rely on professional standards, degrees, certifications, etc. for most programmers. I'm leaving aside for a moment whether we can or should, and just pointing out that it is the case. In the case of the amateur electrician you'll find a wide variety in their knowledge of safety concerns, adherence to code, etc. They probably know enough to not electrocute themselves while they are working (though not always) but don't necessarily know enough to put in wiring that won't burn their house down in a few years. I think our real question isn't just how to reach the professional programmer trained via formal training programs, but also how to reach the amateur programmer trained via books, trial+error, etc. In these cases the best bet is to make sure that the general training manuals, how-to guides, etc. have a lot of safety/security information included in them. That the books people use to learn actually show them safe examples, etc. Obviously there are variations of code requirements per location and such, but basic safety rules will probably be mostly universal. - Andy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I think we need to start indoctrinating kids in the womb. Start selling Baby Schneier CDs alongside Baby Mozart. :) I can recommend this book, it was given to me by a client. Enigma: A Magical Mystery Grade 3–6—Someone has stolen the props belonging to the residents of a retirement home for magicians, and Bertie Badger, the grandson of one of the illusionists, vows to find them. As he meets the performers, they each tell him a little about their specialty and what's missing. My top hat, cape, and wand have gone, but there is worse to tell:/My precious magic bunny rabbit's disappeared as well! Bertie discovers the thief, but it is left to readers to find the lost items hidden in the illustrations. Base's visual mystery books have delighted children for years, but this one has the added feature of a moving panel in the back cover that reveals a secret code. Children must turn dials to proper settings before it can be moved. The clues for setting them appear in the illustrations but are not at all obvious. With a little persistence, however, the target audience should be able to solve the puzzle. After readers crack the code, they can search for the missing items hidden in the art and decipher other messages found in the end matter. http://www.amazon.com/Enigma-Magical-Mystery-Graeme-Base/dp/081097245X -gunnar ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the Hello World! or Mortgage Calculator program level seems quite difficult. This bears some thinking through, but the security risks seem to be: - Make sure the input amount is in dollars. - Make sure the term is numeric and within reasonable ranges. - Make sure that interest rate is in the form of XX.XX. Other things checked for would be - Proper output. - Pausing at the right point so the output can be viewed correctly. I am sure I am missing things, but this should serve as a base. Where do you inject security there? Sure, you can note the importance of checking the data, but just because someone checks the input here doesn't mean they will have a clue on checking the input on a web form for an SQL injection attempt. I get students who can't loop to start over, they are certainly not going to catch that they need to do deeper input inspection, especially in a completely unrelated topic. I am probably blowing some smoke here and I may disagree with myself later, but I think this discussion is worth having. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Mike Lyman mlyman-ci...@comcast.net: Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime programing is taught. From my experience in my son's boy scout troop, I'm not sure I'd call it out as security and confuse middle school/junior high school students but I'd teach them basics like input validation and bounds checking as basic good programing. The security aspects can wait until later when they can better handle several concepts at once. After that is just needs to be part of the course and called out for what it is. There is room for stand alone security focused training and courses but it needs to be drilled in all along the way. I recall my own computer science instructors telling us *not* to spend time on bells and whistles and concentrate on the concept the lesson was covering. If the lesson was on pointers, adding things like error checking and user friendly features didn't count for anything. I can understand why that was said but it sends the wrong message and begins the development of bad habits. That was 20 to 30 years ago and most computer users' idea of security was locking their car doors but it did set us up for bad habits. Basics need to be drilled in early and always count for something even if the lesson is while loops. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Where Does Secure Coding Belong In the Curriculum?
Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html /redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtmlurlhash=c5OA_t=disc_detail_link and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? I started a discussion in the Educause group on linked in. I guess it requires authentication and possibly group membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=gid=138011discussionID=5737656 It looks like some Universities are offering courses now... Neil ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Here is where my enterpriseyness will show. I believe the answer to the question of where secure coding belongs in the curiculum is somewhat flawed and requires addressing the curiculum holistically. If you go to art school, you are required to study the works of the masters. You don't attempt to paint a Picasso in the first semester, yet us IT folks think it is OK to write code before studying the differences between good code and bad code. If a student never learns good from bad and over time develops bad habits, then teaching security at ANY stage later in life is the wrong answer. We need to remix the way IT is taught in Universities and revisit the fundamentals of how to approach IT as a whole. My second and conflicting opinion says that Universities shouldn't be teaching secure code as they won't get it right. Students should understand the business/economic impact that lack of secure coding causes. If this is left strictly to Universities, it will most certainly feel academic (in the bad sense). A person doesn't become a real IT professional until they have a few years of real-world experience under their belts and therefore maybe this is best left to their employers as part of professional development and/or Master's programs that are IT-focused but not about the traditional computer-science/software engineering way of thinking... http://twitter.com/mcgoverntheory This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software Security http://swsec.com. Remember, this list was created in 2006, and lots of other universities have jumped on the bandwagon since then. * University of California at Davis * University of Virginia * Johns Hopkins University * Princeton University * Purdue University (especially the CERIAS center) * Rice University * University of California at Berkeley * Stanford University * Naval Postgraduate School (a military school for graduates) * University of Idaho * Iowa State University * George Washington University * United States Military Academy at West Point Matt Bishop made some excellent points in this thread. He and I discuss the notion of education versus training at length in Silver Bullet episode 31 http://www.cigital.com/silverbullet/show-031/ part of which was transcribed here http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf. gem company www.cigital.com book www.swsec.com On 8/19/09 5:15 PM, Neil Matatall nmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html /redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtmlurlhash=c5OA_t=disc_detail_link and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? I started a discussion in the Educause group on linked in. I guess it requires authentication and possibly group membership: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=gid=138011discussionID=5737656 It looks like some Universities are offering courses now... Neil ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
