Dana Epp wrote:
I'd be interested to hear what people think of the two approaches (separate security courses vs. spreading security all over the curricula).
>> Regards.
>> Fernando.

I don't think it's an either/or question; we need both approaches. Students should study security wherever it's relevant in the curriculum, but they also need a security class towards the end of the degree program to integrate what they've learned with a deeper and more theoretical look at security at the level of Matt Bishop's Computer Security: Art and Science.

Well, I have been asked to teach a new forth year course at the British Columbia Institute of Technology (BCIT) this fall on Secure Programming (COMP4476).

It looks like a good class, Dana. My only suggestion would be to present secure design principles in unit 2, instead of waiting to bring them up until unit 7 (I'm presuming you'll bring up more than least privilege there.) I think you're right to wait until later in the term to bring up buffer overflows; it's a more difficult problem for students than I expected it to be the first time I gave such an assignment.

I only wish I could make all these books be textbook requirements for the curriculum. It should be mandatory reading.

I think they're all good books, but covering fewer topics and books in greater depth increases learning, so don't succumb to that temptation. You can't teach them everything in one term, but you can point the way to continue learning with those books for students who want to know about security than one class can teach them.

Of course, I also think students should have to take at least one course in ASM to really understand how computer instructions work, so they can gain a foundation of learning for the heart of computer processing. And
I think they should be taught the powers and failures of C. Since I know many of you think I'm nuts for that, you might want to look at this outline with the same amount of consideration.

I agree with you on both of those requirements. You need to have a basic understanding of assembly and how C is translated into assembly to understand the most common types of buffer overflow attacks. There are better languages for secure programming than C, but students are almost certainly going to have to read or write C at some point in their careers, so they need to understand it.

James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC

Reply via email to