On Wed, Aug 19, 2009 at 5:15 PM, Neil Matatall <nmata...@uci.edu> wrote: > So where does secure coding belong in the curriculum?
I think secure coding should be taught at the same time that coding is taught. There are aspects of security that can be taught from the beginning, such as input validation and error handling. It's a more efficient and I suspect more effective means of teaching to teach students the best known methods of secure coding first rather than initially teaching them to code insecurely then trying to fix that later. Northern Kentucky University, where I teach, does this in some classes and we're working to move it into all classes. Secure coding is also a large component of our computer security course, and we have a separate secure software engineering class at the graduate level (there is also a security module in the undergraduate software engineering course.) I agree with James McGovern on the need for students to study good and bad code. It has always surprised me how little code reading is done in a typical computer science program, and I think this is particularly important for security. While you can teach students secure coding techniques, they will likely not stick with them once they see examples of bad code elsewhere if they don't understand the reasons why they're using those techniques. That's one reason why a general computer security class is essential to the secure coding curriculum. James Walden Northern Kentucky University http://faculty.cs.nku.edu/~waldenj _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________