James McGovern wrote...

> - Taking this one step further, how can we convince
> professors who don't
> teach secure coding to not accept insecure code from their students.
> Professors seed the students thinking by accepting anything
> that barely
> works at the last minute. Universities need to be consistent amongst
> their own teaching/thinking.

Well, actually, I think that what Matt Bishop wrote in his response to
Benjamin Tomhave is the key:

> But in introductory classes, I tend to focus on what I am calling
> "robust" above; when I teach software security, I focus on
> both, as I consider robustness part of security.
> By the way, you can do this very effectively in a beginning
> programming class. When I taught Python, as soon as the students got
> to basic structures like control loops (for which they had to do
> simple reading), I showed them how to catch exceptions so that they
> could handle input errors. When they did functions, we went into
> exceptions in more detail. They were told that if they didn't handle
> exceptions in their assignments, they would lose points -- and the
> graders gave inputs that would force exceptions to check that
> they did.
> Most people got it quickly.

That is, Matt suggested a direct reward / punishment. Specifically, if
the students don't account for bad input via exceptions or some other
suitable mechanism, the simply loose points.

Matt's right. If it boils down to grades, most students will get it, and

And whether we call this secure-coding, robustness, or simply correctness,
it's a start.

I think that too many people when they hear that we need to start teaching
security at every level of CS are thinking of more complicated things like
encryption, authentication protocols, Bell-LaPadula, etc. but I don't think
that was where the thrust of this thread was leading.

Kevin W. Wall           Qwest Information Technology, Inc.
kevin.w...@qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to