silky wrote:
In fact, I explicitly remember there usually
being a statement on assignments saying that you can assume the input
will be valid.
Well, the lecturer/teacher should specifically be called out on this
as input validation is critically important, as you highlight. It may
not always be their fault, if they are following some course guideline
and just want to get the core stuff done.
Note: My comments have nothing to do with anyone/any organisation except
for myself, and they should be considered as the rantings of a madman.
-----------------------------------
Last year I was part of the teaching staff at Monash Uni for FIT1004 &
FIT2010 (Database
http://infotech.monash.edu/units/fit1004/ ), and although security is
something I am fairly interested in personally, there simply isn't
enough time in a Semester to get to anything regarding it outside of the
occasional mention about dodgy user input.
There is quite a bit of theory behind Databases/Data Management, and
that is before you even get to Queries/PL-SQL
(Oracle)/Normalisation/etc. Also, due to the nature of IT Courses where
many students aren't programmer types (Business Information Systems:
Analysts, etc), techniques regarding SQL Injection/etc would just go
straight over the heads of the majority.
Many assignments which are given do allow the user to assume valid
input, but this is because the course is about understanding the
theories behind each paradigm, not spending hours trawling libraries or
trying to write regular expressions which account for every user/error
case. Given that, this year in 1st year, 1st semester Java (Computer
Programming FIT1002), marks were allocated for handling invalid input,
and even required in some of the assignments.
Although there are many students who are great programmers, you can't
expect a university graduate to have any idea on how to write software.
In my not so humble opinion (on this matter), like you suggest, there
is significantly more that should be being done at the University/TAFE
level in regards to secure-programming education.
Universities can always do more, but it is my believe that universities
are academic institutions, not vocational ones (there is overlap.. but
for simplicity...). you are trained in 'Computer Science'/etc, not in
'programming'. Upon graduation, students should be equipped to think for
themselves, as well as being able to recognise and solve common
problems. While Universities definitely have some role in making
students aware of security (there are masters courses on this exact
thing, also, there is a 3rd year Advanced Database unit, I am unsure of
the content), I think it is industry is better equipped to train
developers for specific/temporal security issues..... this should be
part of the curriculum from an organisation given to a Junior Developer.
One issue which I have experienced personally, is many organisations
simply do not invest any $$$/time in developing the skills of their
programmers, nor have any processes for mentoring junior developers.
</rant>
:)
--
Les Hughes
[email protected]
