Neil Matatall wrote:
> So where does secure coding belong in the curriculum?
> Higher Ed?  High School?
> Undergrad? Grad? Extension?

Secure coding needs to be taught anytime programing is taught.

>From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and confuse middle school/junior high school students
but I'd teach them basics like input validation and bounds checking as
basic good programing. The security aspects can wait until later when
they can better handle several concepts at once.

After that is just needs to be part of the course and called out for
what it is. There is room for stand alone security focused training and
courses but it needs to be drilled in all along the way. I recall my own
computer science instructors telling us *not* to spend time on bells and
whistles and concentrate on the concept the lesson was covering. If the
lesson was on pointers, adding things like error checking and user
friendly features didn't count for anything. I can understand why that
was said but it sends the wrong message and begins the development of
bad habits. That was 20 to 30 years ago and most computer users' idea of
security was locking their car doors but it did set us up for bad
habits. Basics need to be drilled in early and always count for
something even if the lesson is while loops.

Mike Lyman

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to