Brad Andrews wrote: > But we are not talking about separate classes. The assertion (which I > probably clipped, sorry) was that it should be woven into the > curriculum. I was noting where and how to do so, starting in the > intro level classes. Just telling a starting programmer to properly > check input length is all well and good, but falls far short of making > a secure programmer.
Sorry if this comes across as a misread of the above but it touches on a pet peeve of mine in this business. Falls far short or that doesn't fix the problem is used quite a bit to dismiss steps we could be taking. Since we cannot create truly secure systems or software, we need to embrace efforts that still improve things as long as the cost of the effort is appropriate for the gain in security. Instead of "properly check input length is all well and good, but falls far short of making a secure programmer" I prefer to think of all the security bugs we could have avoided if most programmers has a well ingrained habit of doing just that. We'd still have a lot of problems left to address but we'd have avoided a lot of pain if this little thing had been taught better or even taught at all. (When I do secure development intro type classes, my if you only take one thing away from today, make it Don't Trust Input. You'll learn the rest later but that one thing will fix many problems.) I went to a different type college than most people. It exists to train officers for the US Army. Most of the military training focuses on basic soldier skills and the things we needed to know to lead small units at the lieutenant level with platoons and captain level with companies if we had to. We knew enough of the higher level skills to be able to put what we were doing into context and maybe, if we got into a really bad spot, we could, for a time, command a battalion or brigade until somebody else could get there to take over. We weren't ready to be generals yet but we were reasonably ready for where we were in our careers for the first several years and most knew there was still a lot we had to learn and practice to really be good lieutenants even though we'd spent four years preparing for the job. > Some will sit through a class with glazed eyes and no understanding. We'll always have that. The old doctor joke about 50% of the doctors out there graduated in the bottom half of their class applies to our industry as well with the added burden of plenty doing what we do with no formal training at all. There are reasons we do peer reviews, formal code reviews and testing. This is just a small piece of the puzzle that has not been addressed well enough but it is just a piece. -- Mike Lyman mly...@west-point.org _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________