Two quick comments in catching up on the thread...

First, security in the software development concept is at least an
intermediate concept, if not advanced. Riffing on Brad's comments, it
seems irrational to think that you can jump straight from structural
basics with which many students struggle (OO anybody?) directly to
concepts that bridge computer architecture, code structure, and various
other problems.

Second, as long as "the right way" is not the same as "the easy way"
then there will always be a disconnect. Perhaps this means that the
language itself needs to require strong type checking that enforce
appropriate secure coding behavior? Or maybe this is even enforced at
the compiler level? (there have, of course, been problems with
compilers, too, particularly in optimization mode)



Brad Andrews wrote:
> But we are not talking about separate classes.  The assertion (which I
> probably clipped, sorry) was that it should be woven into the
> curriculum.  I was noting where and how to do so, starting in the intro
> level classes.  Just telling a starting programmer to properly check
> input length is all well and good, but falls far short of making a
> secure programmer.
> I have no doubt that you can teach some new developers the principles in
> a short time and make them more productive than those who have been
> programming longer term.  They don't have to unlearn anything!  But this
> will not work for everyone.  Some will sit through a class with glazed
> eyes and no understanding.
> Also remember we will have to get outside those with a fairly high level
> of motivation (internal or external) for learning the material to be
> successful.
> I also would like to see how you would teach secure development, with
> minimal extra time load, in a basic programming sequence, possibly even
> at a non-traditional or lower tier school.  We won't make significant
> progress until we can do that, and it still leaves out the "self taught."

Benjamin Tomhave, MS, CISSP

[ Random Quote: ]
Moore's Law: "The number of transistors on an integrated circuit will
double in about 18 months."
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to