Matt Bishop wrote: > > Instead, what you can do is frame the issues as "good programming". When > teaching for loops, teach the idea of a "limit" (upper and lower > bounds). Then when you get to arrays, it's natural to discuss bounds > checking in the context of iteration (I don't phrase it that way, of > course). When you grade, you check for it. Presto! Now you have taught > what is commonly considered a security requirement without ever > mentioning the word "security". > I would agree with this, as I think it again syncs with what James McGovern talked about earlier, too. A graduated approach to "secure coding" (for whatever definition we might insert) is the only logical progression. However, as you conceded, we have to be very careful just how much we introduce and when. I remember the disconnect in the mid-90s when the CompSci curriculum switched to OO. Some of us got caught in the blender where our first CS class was non-OO and our 2nd class was suddenly all OO and we didn't know what the heck was going on. It seems we're perhaps still in this transitional state to a large part.
> By the way, you can do this very effectively in a beginning programming > class. When I taught Python, as soon as the students got to basic > structures like control loops (for which they had to do simple reading), > I showed them how to catch exceptions so that they could handle input > errors. When they did functions, we went into exceptions in more detail. > They were told that if they didn't handle exceptions in their > assignments, they would lose points -- and the graders gave inputs that > would force exceptions to check that they did. > Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 > Most people got it quickly. > Getting it and applying it IRL are of course two completely different things. I still find it somewhat absurd that we even need to have this discussion still after how many decades of curriculum development? :) -ben -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "Reading is to the mind what exercise is to the body." Sir Richard Steele _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
