On Tue, 7 Nov 2006, Matt Bishop wrote:
> Folks,
>
> A comment based on an idea we tried here.
>
> > Well, I never recieved any replies here on what's already being
> > done.. so
> > now, I am asking for ideas on how we can approach schools. What's
> > needed,
> > in order for basic CS classes to have a security orientation?
>
> Ideally, I agree with the sentiment but would quarrel with the
> wording :-). On a practical level, I think this is very unlikely to
> happen. For example, one problem is those classes are already
> overloaded with how to program *plus* language stuff. You can only do
> so much in 10 or 15 weeks (depending on whether you're on the quarter
> or semester system).
>
> An alternative to focusing on the introductory classes is to provide
> support for programming throughout the curriculum. But the big
> problem is overloaded classes--we try to teach too much material now.
> Telling an algorithms instructor she also needs to teach some
> security will fail on at least two counts: (1) "How do I teach the
> required course material *plus* security?" (2) "How do I learn enough
> about security to know what to teach and how to teach it? And where
> do I find the time to learn this?" So I don't think adding more
> material to existing classes will work.
>
> So let's take a page from English departments and/or law schools.
> Both have writing clinics--they are separate from classes, and
> provide reviews of written papers before those papers are turned in.
> The ones I'm familiar with do *not* address content, but they *do*
> address mechanics (grammar, punctuation, etc.) and expression--does
> the writing make sense, is it well organized, and so forth. Why not
> establish something similar for programming?
>
> You could work this in a number of ways. The one we've tried here was
> to require the students to write the program and then meet with
> someone working in the clinic. The clinician went through the program
> with the student, pointed out potential problems and bad programming
> practices, and (when appropriate) security issues. No grading
> occurred, but the student could rewrite the program to fix the
> problems pointed out (and others that the student found--the
> clinician did not try to find all the problems, just enough to show
> the student what types of problems were there).
>
> We did some very informal testing, and the results were promising. If
> anyone's interested, we did a write-up of it; see:
>
> http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/
>
> I need to emphasize the results are informal because we weren't
> educational metricians. Our next step (assuming we can get the
> funding) will be to devise formal metrics and do some more rigorous
> measurements to see how well the clinic works.
>
> The interesting point about the clinic is that it appeared to be
> effective at both introductory and upper division levels, provided
> the students used it. It also would provide reinforcement throughout
> the student's undergraduate education, and give the student more of a
> chance to absorb good programming practices than do one or two
> classes that focus on those aspects of programming.
>
> Just a thought ....
I am not sure I understand all you wrote yet. So I may ask you more later.
Let me ask you this, the basic courses such as C (pascal, c++,
whatever) are used to teach other things along the line. Won't changing
that course be a great start?
Further, if not much can be changed with time constraints, what would it
"cost, for example, to teach people to check their input, or set
boundaries? With references to more material.
Gadi.
>
> Matt
>
> ==================================
> Matt Bishop
> Department of Computer Science
> University of California at Davis
> One Shields Ave.
> Davis, CA 95616-8562
> United States of America
>
> phone: +1 530 752 8060
> fax: +1 530 752 4767
> web: http://seclab.cs.ucdavis.edu/~bishop
>
>
>
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
