[SC-L] Inherently Secure Code?

2009-08-26 Thread Brad Andrews
I am not sure I agree that this is any more achievable than claiming a bank building should allow all valid customers in, but keep out all thieves. While we can and should make great strides, we will always have some exposure because we have to let some things through. The only way we

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Andy Murren
Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the KR style of indentation for example continue to use it as their

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Not so much anti-social as untrusting, supicious, and paranoid. Actually, being highly social could provide an excellent cover to fool the bad guys into thinking one is a lot less security-savvy than one actually is. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
James McGovern wrote... - Taking this one step further, how can we convince professors who don't teach secure coding to not accept insecure code from their students. Professors seed the students thinking by accepting anything that barely works at the last minute. Universities need to be

Re: [SC-L] informIT: attack categories

2009-08-26 Thread Gary McGraw
hi sc-l, Fred sent me some email today and reminded me that he has written about this idea himself in IEEE Security Privacy magazine. We already had a link to his article on the Silver Bullet website, but here's a direct link: The Monoculture Risk Put in Context IEEE Security and Privacy 7,

Re: [SC-L] informIT: attack categories

2009-08-26 Thread Gary McGraw
hi steve, The bugs/flaw continuum is, in fact, a continuum. It's great that you guys have begun to collect and publish information about flaws in the CWE. I agree completely with your statement I suspect that design/architecture level taxonomies will be very challenging to build. Part of

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Pravir Chandra
The playing in traffic example is one extreme end of the spectrum. A good analogy for the other end might be physics where you just teach Newtonian theory it as if it were 100% accurate and then, if the student decides to take a relativistic physics class, you teach them on day 1 that everything

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote: Instead, what you can do is frame the issues as good programming. When teaching for loops, teach the idea of a limit (upper and lower bounds). Then when you get to arrays, it's natural to discuss bounds checking in the context of iteration (I don't phrase it that way, of

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Goertzel, Karen [USA] wrote: We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with grim reality, we give

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Matt Bishop
Ben, Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 Brings back memories -- the first day on the job as a summer intern I had to track down a bug in a UNIX device driver. Turned out the optimizer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote: And that's an artifact of a lack of resources for the type of grading. Give classes the support to do this, and I suspect you'd see people get in the habit of writing better code. Better, use students and people from industry who know this stuff to staff a clinic analogous

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Bennett, Jason
So many mistakes have been made in generations before mine that we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure.

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
Brad Andrews writes... I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good

Re: [SC-L] informIT: attack categories

2009-08-26 Thread Prasad Shenoy
Gary, Great article and since you used attacks and categories in the same :) sentence I am tempted to ask if you looked at WASC Threat Classification project? On Tuesday, August 25, 2009, Steven M. Christey co...@linus.mitre.org wrote: Gary, You said in the article: The next category of

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Kenneth Van Wyk
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is

Re: [SC-L] informIT: attack categories

2009-08-26 Thread ljknews
At 6:36 PM -0400 8/25/09, Steven M. Christey wrote: Gary, You said in the article: The next category of attacks to expect are attacks that target defects in design and architecture - which I call flaws. I think it's already happening. I think it has been happening for years. I use

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Your example is spurious as a refutation of what I was trying to say (as I suspect you already know). Obviously you're not going to try to teach a not-yet-verbal infant a self-preservation concept that requires even the most rudimentary reasoning. That said, I'll be interested to hear from you

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
I too remember learning proofs in Jr. High. And I also believe the main objective was to teach 12 and 13 year olds that it is possible to apply a repeatable, disciplined process to how they approach problem solving. Certainly not a worthless lesson, even if the mathematics involved are never

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
I see your point. On the other hand, there are times I worry that teach the hacker mentality approach to secure development training smacks a bit too much teaching future policemen the delights of robbery, rape, torture, and murder in order to prepare the to defend the public against robbers,

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Your Picasso - or, perhaps, Frank Lloyd Wright would be a better analogy - definitely has a role in software development. I want his creativity up front in the specification and high-level design of the building (the software system). But when it comes to detailed design and testing, I'm going