It's a catch-22, and there's certainly no need to be snarky about it.
You cannot teach advanced grammar to a student with no language skills.
Similarly, to think you can teach secure coding to a student with no
coding skills is follow. I think James McGovern's suggestion is probably
the best alternative, having students evaluate and analyze the
difference between good and bad code. However, I think the utility in
that approach will quickly deteriorate as the students gain more skill
in writing their own code. The lazy coder will win out in the end when
there are deadlines to be met.
As for our hacker friends, if we want to go down that path, then I
submit that this war is already very much lost. Hanging out with some of
the crews at Defcon this year was an eye-opening experience. We are so
far behind the curve that it is irrational to think that we will ever
catch-up unless the entire battlefield is changed, and the rules of
engagement along with them. So many mistakes have been made in
generations before mine that we are now trapped in a box of our own
making that has us squabbling over academic minutiae like how to teach
secure coding when we should not have to consider this topic at all -
the code itself should be inherently secure. This is not, incidentally,
FUD - it's fact, to which not nearly enough people have direct exposure.
-ben
Goertzel, Karen [USA] wrote:
> For consistency's sake, I hope you agree that if security is an
> intermediate-to-advanced concept in software development, then all
> the other "-ilities" ("goodness" properties, if you will), such as
> quality, reliability, usability, safety, etc. that go beyond "just
> get the bloody thing to work" are also intermediate-to-advanced
> concepts.
>
> In other words, teach the "goodness" properties to developers only
> after they've inculcated all the bad habits they possibly can, and
> then, when they are out in the marketplace and never again
> incentivised to actually unlearn those bad habits, TRY desperately to
> change their minds using nothing but F.U.D. and various other
> psychological means of dubious effectiveness.
>
> Great strategy! Our hacker friends will love it.
>
> Karen Mercedes Goertzel, CISSP Associate 703.698.7454
> goertzel_ka...@bah.com ________________________________________ From:
> sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On
> Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent:
> Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject:
> Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
>
> Two quick comments in catching up on the thread...
>
> First, security in the software development concept is at least an
> intermediate concept, if not advanced....
>
--
Benjamin Tomhave, MS, CISSP
fal...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave
[ Random Quote: ]
"If at first you don't succeed, failure might be your thing."
Warren Miller, Impact
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
