On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatall<nmata...@uci.edu> wrote: > Inspired by the "What is the size of this list?" discussion, I decided I > won't be a lurker :) > > A question prompted by > http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html > and the OWASP podcast mentions > > So where does secure coding belong in the curriculum? > > Higher Ed? High School? > > Undergrad? Grad? Extension?
Does it help at all to consider how and where most people actually learn to program/develop? I don't have percentages handy of how many people with a job title or informal role as "programmer" or "developer" actually took any formal education in this. If we're just trying to reach the group of developers that went through formal training then we've seen some pretty good answers here in this thread already. If we want to cover others though, we need to look elsewhere. Let's look at another few fields where safety is important and yet the work is often done by both professionals and amateurs - Plumbing and/or Electrical Work. My own view is that much software development is actually a lot closer to the work of the amateur electrician than the professional electrician. That is, unlike fields like engineer, architect, lawyer, accountant, we don't rely on professional standards, degrees, certifications, etc. for most programmers. I'm leaving aside for a moment whether we can or should, and just pointing out that it is the case. In the case of the amateur electrician you'll find a wide variety in their knowledge of safety concerns, adherence to code, etc. They probably know enough to not electrocute themselves while they are working (though not always) but don't necessarily know enough to put in wiring that won't burn their house down in a few years. I think our real question isn't just how to reach the "professional" programmer trained via formal training programs, but also how to reach the "amateur" programmer trained via books, trial+error, etc. In these cases the best bet is to make sure that the general training manuals, how-to guides, etc. have a lot of safety/security information included in them. That the books people use to learn actually show them safe examples, etc. Obviously there are variations of code requirements per location and such, but basic safety rules will probably be mostly universal. - Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
