On Mon, 5 Jun 2006, David A. Wheeler wrote: | ... One reason is that people can get degrees in | Computer Security or Software Engineering without knowing how to | develop software that receives hostile data. Even the | "Software Engineering Body of Knowledge" essentially | omits security issues (a supplement is being developed, | thankfully, though it's not REQUIRED).... | | If you have connections with your local university, try to talk | them into increasing the amount of education they provide in | developing secure software (where software development is done). | I give away a book on this topic, as part of my effort to get the | information disseminated.... Keep in mind that you can run into a fundamental conflict about what a university education is supposed to be about.
At least where computer science departments are part of the liberal arts school, their fundamental view is that they are there to teach concepts, not to train people for work. The view is that, if you want someone who knows the basics of today's technologies, hire a graduate of a vocational school. Universities produce people who know how to think about technology and can learn the details of any particular technology when they need to. University programming assignments focus on the ideas, not on the "trivial minutia" of validating input, for example. A university cryptography course will likely be heavy on theory, light on how to safely apply cryptographic primitives. Any "secure computing" courses at universities are likely to focus on what someone identifies as broad principles, not on how to avoid buffer overflows in C - much less on how to restructure existing horrible C code so that you can eliminate its buffer overflows. (When I ask the typical university-trained CS major "How do you recognize that a class has been designed well?" about the only answer I am likely to get is that the member fields are all private and accessed through getters and setters. Sigh.) I don't want to get into a debate about the validity of this approach, but recognize that it's there and it's not going away. I would also be very careful about any sentence that starts "you can get a degree without knowing X", because you'll be astounded to learn just what you can substitute for X. For example, very few CS graduates have any understanding of even the most fundamental facts about floating point arithmetic. (Ask them how many times a loop that starts an FP value at 0.0 and adds 0.1 to it until the result equal 1.0 will execute.) When I interview new college graduates, on almost all subjects, I assume that, if they got a good college education, they understand basic principles and will be able to use them to learn specifics. But on the real practice of software development, what they haven't learned through co-op programs or other work experience, I'll have to train them on. (It's also my view that design, architecture, non-trivial secure coding, and so on cannot be taught in the way that sciences are taught, by someone lecturing from the front of the room. They need to be taught as art or writing is taught - by example and by practice and critique. This is something university CS departments are rarely set up to do.) -- Jerry _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php