James Walden wrote:
I'd like to open a discussion based on this quote from Marcus Ranum's ACM Queue article entitled "Security: The root of the problem":
Thanks. I also read Marcus's article with interest. Caveat: clearly, I have a biased outlook, since software security training is one of the things that I do for a living.
Overall, I like and agree with much of what Marcus said in the article. I don't, however, believe that we can count on completely putting security "below the radar" for developers. Having strong languages, compilers, and run-time environments that actively look out for and prevent common problems like buffer overruns are worthy goals, to be sure, but counting solely on them presumes that there are no security problems at the design, integration, or operations stages of the lifecycle. Even if the run-time environment that Marcus advocates is _perfect_ in its protection, these other issues are still problematic and require the developers and operations staff to understand the problems.
From my perspective, security education is only beginning to climb an initial upward curve. While classes in security topics are becoming more common in undergraduate computer science course catalogs, their presence is far from universal. I don't know of any university that requires such a class for an undergraduate CS degree; if any such programs exist, they're not common.
I agree with you on this, certainly. My nephew is a senior in an undergrad CS curriculum and his university has yet to discuss security in any of his course work, to my knowledge.
While there are non-university classes and workshops that teach software security, I doubt that a majority of developers have attended even one such class. Software security has to be integrated into the CS curriculum before we can expect a majority of developers to have the appropriate skills, and then there will still be the issue of applying them under deadline pressure.
Yup, but in the "belt and suspenders" approach that I like to advocate, I'd like to see software security in our undergrad curricula as well as professional training that helps developers understand the security touch points throughout the development process -- not just during the implementation phase.
Ken van Wyk http://www.KRvW.com