At 8:10 PM -0400 6/29/04, James Walden wrote: >While there are non-university classes and workshops that teach software security, I >doubt that a majority of developers have attended even one such class. Software >security has to be integrated into the CS curriculum before we can expect a majority >of developers to have the appropriate skills, and then there will still be the issue >of applying them under deadline pressure. > >That said, I agree with most of the article. We can't wait for years to software >security to become a standard part of the curriculum, and most of his suggestions, >such as turning C compiler warnings into errors, are good ideas no matter what the >current status of security education. I also second his enthusiasm for perl's taint >mode.
Teaching students how to avoid problems in C should be a separate (optional) course. Dealing with issues that have _not_ been solved in higher level languages should be a required course not burdened by the baggage of C. And whether something is a "warning" or an "error" is outside the scope of the programming language itself and into the build process which would allow completion in the face of warnings.