Gary wrote: "He and I discuss the notion of education versus training at length"
And I don't want to bring up the discussion of the difference, however it does get me to think. In CS, we do a lot of Math, but programming is not like Math. Math is easy to verify if it is done correctly. But in programing what does correctly mean? So it has to be taught and incorporated in it's own way. I think a way ahead should consider the following: 1. the instructional staff reads all the code, all the time (But think of how long this would take) 2. a formal method for deducting points from a properly working but incorrectly constructed program (a "Show your work" secure coding equivalent) 3. a capability to verify and reinforce good practices consistently and continually Of course we can teach a class on best practices, things not to do, etc. etc. But how do we continually reinforce it throughout a curriculum or even a career? -Rob Floodeen On Thu, Aug 20, 2009 at 2:55 PM, Gary McGraw<g...@cigital.com> wrote: > hi neil, > > For what it's worth, there is a list of universities with some kind of > software security curriculum on page 98 of "Software Security" > <http://swsec.com>. Remember, this list was created in 2006, and lots of > other universities have jumped on the bandwagon since then. > > * University of California at Davis > * University of Virginia > * Johns Hopkins University > * Princeton University > * Purdue University (especially the CERIAS center) > * Rice University > * University of California at Berkeley > * Stanford University > * Naval Postgraduate School (a military school for graduates) > * University of Idaho > * Iowa State University > * George Washington University > * United States Military Academy at West Point > > Matt Bishop made some excellent points in this thread. He and I discuss the > notion of education versus training at length in Silver Bullet episode 31 > <http://www.cigital.com/silverbullet/show-031/> part of which was transcribed > here <http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf>. > > gem > > company www.cigital.com > book www.swsec.com > > > On 8/19/09 5:15 PM, "Neil Matatall" <nmata...@uci.edu> wrote: > > Inspired by the "What is the size of this list?" discussion, I decided I > won't be a lurker :) > > A question prompted by > http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html > </redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtml&urlhash=c5OA&_t=disc_detail_link> > and the OWASP podcast mentions > > So where does secure coding belong in the curriculum? > > Higher Ed? High School? > > Undergrad? Grad? Extension? > > I started a discussion in the Educause group on linked in. I guess it > requires authentication and possibly group membership: > http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=138011&discussionID=5737656 > > It looks like some Universities are offering courses now... > > Neil > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________