Here is where my enterpriseyness will show. I believe the answer to the
question of where secure coding belongs in the curiculum is somewhat
flawed and requires addressing the curiculum holistically.
If you go to art school, you are required to study the works of the
masters. You don't attempt to paint a Picasso in the first semester, yet
us IT folks think it is OK to write code before studying the differences
between good code and bad code. If a student never learns good from bad
and over time develops bad habits, then teaching security at ANY stage
later in life is the wrong answer. We need to remix the way IT is taught
in Universities and revisit the fundamentals of how to approach IT as a
My second and conflicting opinion says that Universities shouldn't be
teaching secure code as they won't get it right. Students should
understand the business/economic impact that lack of secure coding
causes. If this is left strictly to Universities, it will most certainly
feel academic (in the bad sense). A person doesn't become a real IT
professional until they have a few years of real-world experience under
their belts and therefore maybe this is best left to their employers as
part of professional development and/or Master's programs that are
IT-focused but not about the traditional computer-science/software
engineering way of thinking...
This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to