On Wed, Aug 19, 2009 at 5:15 PM, Neil Matatall <nmata...@uci.edu> wrote:
> So where does secure coding belong in the curriculum?

I think secure coding should be taught at the same time that coding is
taught.  There are aspects of security that can be taught from the
beginning, such as input validation and error handling.  It's a more
efficient and I suspect more effective means of teaching to teach
students the best known methods of secure coding first rather than
initially teaching them to code insecurely then trying to fix that

Northern Kentucky University, where I teach, does this in some classes
and we're working to move it into all classes.  Secure coding is also
a large component of our computer security course, and we have a
separate secure software engineering class at the graduate level
(there is also a security module in the undergraduate software
engineering course.)

I agree with James McGovern on the need for students to study good and
bad code.  It has always surprised me how little code reading is done
in a typical computer science program, and I think this is
particularly important for security.  While you can teach students
secure coding techniques, they will likely not stick with them once
they see examples of bad code elsewhere if they don't understand the
reasons why they're using those techniques.  That's one reason why a
general computer security class is essential to the secure coding

James Walden
Northern Kentucky University
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to