I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:
Exploits are FUN.
Teach from that angle, and I think you'll get more traction.
I've given a fair number of "basic security" talks to commercial
audiences. Invariably, a significant fraction of the audience,
whether they are professional programmers, inexperienced interns,
marketing types, managers, etc., end up wanting to understand
how exploits actually work and how they are prevented. I can't
help thinking that this would be true of even the freshest of
programming/compsci students. Heck, I've even gotten that
reaction from some of my kids' high school friends.
Not everyone thinks that way, but I think if we can get students
to think "hey, that's pretty clever" instead of teaching security
as something you _must_ do because it's good for you even though
it's not obviously related to getting the job done, odds for
success are higher. Rigor needs to come eventually, but I think
it is absolutely appropriate to include some exploit-based
entertainment even at the earliest stages of education.
We should be selling sizzling steak, not cod liver oil.
Olin Sibert
Oxford Systems, Inc.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
