I see your point. On the other hand, there are times I worry that "teach the 
hacker mentality" approach to secure development training smacks a bit too much 
teaching future policemen the delights of robbery, rape, torture, and murder in 
order to prepare the to defend the public against robbers, rapists, torturers, 
and murders.

Definitely teach - with examples - what it is about software that makes it so 
easy to exploit and violate. But stop short of handing the students detailed 
blueprints and instructions, reinforced by lots of hands-on lab time. I'm just 
untrusting enough of human nature to worry that once some of them discover how 
much more fun it is to hack than to defend against hacking, what you'll end up 
with is not the next Bob Seacord but the next Kevin Mitnick.

At the very least, make psychological exams a prerequisite of acceptance into 
your class, so you can weed out the likely psychopaths and sociopaths.

Karen Mercedes Goertzel, CISSP
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Olin Sibert [u3...@siliconkeep.com]
Sent: Tuesday, August 25, 2009 8:16 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:

      Exploits are FUN.

Teach from that angle, and I think you'll get more traction....
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to