Hi all,
I've been watching this discussion with interest, as I've taught a
undergrad-level course a couple of times that focuses on infosec
with a concentration in software security. Yes, _Secure Coding_
was one of the books we used :)
A few observations from my experience so far:
- Sure, we can teach "don't overflow the buffer" in lower division
undergrad courses, but many students won't understand the
reasons why this results in an exploitable condition, since those
reasons require understanding concepts that are not normally taught
until the upper division of undergrad CS.
- I think we need to not only give the students the right *tools*
to code securely, but also the right *mindset*. It is harder
to teach the "mindset" in the earlier courses.
- As for a specialized course on software security, it can be
tricky working it into the undergrad CS curriculum. When I've
taught this material, I could not assume (for instance) a
certain degree of student knowledge about computer architecture
and the way the call stack works. I had to explain that stuff
just to be able to explain how a buffer overflow works, for instance.
- We can teach, "be more secure, use Java/C#/etc instead of C",
and that is good, but remember that these students are going
out into the real workforce and will use the language(s)
chosen by their employers (or already in place on an existing
product line). I do believe that students still need to know
how to use C/C++ responsibly. Otherwise, they may very well
be ill-prepared for the real world :)
- As for vocational vs. academic, I think there's a lot of room
for software security in each. At the academic level, you
spend more time explaining the underlying concepts. For
example, teaching why having a call stack share data and program
flow control constructs tends to cause trouble (when no enforcement
of the bounds of data and control is performed). Vocational
teaching is much more hands-on and tools oriented. At the
academic level, you want your students to be able to take the
knowledge and apply it in new and creative ways, not just learn
a tool or a technique.
- Many universities want to teach in the academic world the kind
of knowledge that will give their students a definite edge when
they go into private industry. If potential employers (or
graduate programs, etc.) look favorably on some "software security"
experience, we will probably see more of it taught and/or
integrated into existing coursework.
- I found Corewars to be an interesting tool for starting to
exercise that "defensive coding" muscle. It gets students used
to assuming that their program will be abused and misused,
among other things :)
Greg.
----------------------------------------------------------------
Greg Beeley, President & Co-Founder [EMAIL PROTECTED]
LightSys Technology Services, Inc. http://www.LightSys.org/
----------------------------------------------------------------
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
