But we are not talking about separate classes. The assertion (which I probably clipped, sorry) was that it should be woven into the curriculum. I was noting where and how to do so, starting in the intro level classes. Just telling a starting programmer to properly check input length is all well and good, but falls far short of making a secure programmer.

I have no doubt that you can teach some new developers the principles in a short time and make them more productive than those who have been programming longer term. They don't have to unlearn anything! But this will not work for everyone. Some will sit through a class with glazed eyes and no understanding.

Also remember we will have to get outside those with a fairly high level of motivation (internal or external) for learning the material to be successful.

I also would like to see how you would teach secure development, with minimal extra time load, in a basic programming sequence, possibly even at a non-traditional or lower tier school. We won't make significant progress until we can do that, and it still leaves out the "self taught."


Brad Andrews
RBA Communications

Quoting Gunnar Peterson <gun...@arctecgroup.net>:

I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the "Hello World!" or Mortgage Calculator program level seems quite difficult.

I am not so sure. Granted an entry level programmer is going to be an
expert, but they can be pretty effective. I have taught App Security
classes where there were people with 20+ years of programming
experience and people with 3 months of OJT programming experience. At
the end of the two day class they each had the exact same amount of App
Security training.

The basic concepts of AAA and so on are not so hard to understand. My
guess is its much harder to start with Hello World, with no security,
add layers and layers of stuff on top of that over the decades and then
have to go back and question every single thing...

Someone who spent 20 years building cars with no brakes would have a
different experience than someone who was taught from the get go that
all cars have brakes and here is how you design/build them.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to