Brad Andrews wrote:
> Has anyone who holds to this taught a beginning level programming
> class? Getting students to understand what a loop is can be hard
> enough, given limited time. Diving into exploits and buffer overflows
> can be much more difficult.
Getting into exploits at this level is
Andy Steingruebl wrote:
> I think our real question isn't just how to reach the "professional"
> programmer trained via formal training programs, but also how to reach
> the "amateur" programmer trained via books, trial+error, etc.
>
>
One area here is making sure examples are done correctly. T
Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I
Great points Karen! We can't prove a program is "secure" in the same vein.
The danger I am spouting off about is the idea that we would solve the
software security problem if we just take a more "scientific" or
"mature" (or whatever) approach. I think those can definitely reduce
the risk
Regulation will never be as effective as we need and I believe will
ultimately be counterproductive as many companies use "compliant" as
an excuse to stop. (It may get them to start, but once started, we
need them to go farther.)
In regards to cigarettes, they are still a huge problem in
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at 11:54
Actually, we can't prove programs are bug free if by "bug" we also mean all
possible anomalous behaviours. My colleagues keep pointing this out to me when
I suggest that we should start leveraging the computational power of computing
grids to analyze complex software the same way other researche
But we are not talking about separate classes. The assertion (which I
probably clipped, sorry) was that it should be woven into the
curriculum. I was noting where and how to do so, starting in the
intro level classes. Just telling a starting programmer to properly
check input length is
Now that you mention it
I was listening to the CERT podcast where you and a couple of others
discussed the BSIMM (probably a while back since I am well behind on
those). You made a statement along these lines and I immediately
thought that I disagreed! :)
I don't think software sec
I was thinking of a beginner-level programming class. I have and it
can be a challenge, especially if they don't have the "programming
mindset". Even if they do, you don't have the time for the things you
spoke about. You are focusing on basic coding constructs first. :)
--
Brad Andr
On Aug 21, 2009, at 12:18 PM, Brad Andrews wrote:
This brings up a great point. How can we grade a program's security
level? Is it just a checkoff list? Which elements should be in
that checkoff list?
You may be interested in reading:
Teaching Secure Programming
IEEE Security and
I think we need a multifaceted approach that includes supply side, demand side,
insurance companies, consumer protection organisations, etc. etc.
We need regulation with legal penalties - as exist for airlines, for example -
for software firms that fail to meet minimal standards for quality - w
hi sc-l,
There are many important security researchers who have given up on proving
things about software as non-practical. Among them: Ross Anderson, Virgil
Gligor, Bob Blakely, and Fred Schneider. All four of those guys have been
past silver bullet victims, and each time we discussed the a
On Aug 21, 2009, at 17:51, Brad Andrews wrote:
Has anyone who holds to this taught a beginning level programming
class?
I have. I taught a security class to undergrads. It was easier than
I thought, at least the basics were. I got them excited by a "let's
try to break things" attitude.
I am sure some things could be put into a basic class, but the ideas
are a bit deeper. Security at the "Hello World!" or Mortgage
Calculator program level seems quite difficult.
I am not so sure. Granted an entry level programmer is going to be an
expert, but they can be pretty effective
15 matches
Mail list logo