Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

re artists. End of discussion... From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Jim Manico [...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where D

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Yet another perspective. I believe that this question may be somewhat flawed as it doesn't take into consideration certain demographic challenges. Right now the model seems to be based on either being academic (sitting through a semester of some old fog with no real-world experience blabbering theo

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Ben Tomhave wrote: > Wall, Kevin wrote: > > > > I don't mean to split hairs here, but I think "fundamental concept" > > vs "intermediate-to-advanced concept" is a red herring. In your case > > of you teaching a 1 yr old toddler, "NO" is about the only thing > > they understand at this point. That d

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Wall, Kevin wrote: > > I don't mean to split hairs here, but I think "fundamental concept" > vs "intermediate-to-advanced concept" is a red herring. In your case > of you teaching a 1 yr old toddler, "NO" is about the only thing > they understand at this point. That doesn't imply that concepts lik

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

sires process to be a substitute for competence. From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Jim Manico Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does S

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

> Actually, I'm not teaching my 1 yo toddler much of anything about > traffic right now. I'm more playing guardian when she runs around the > house and making sure she doesn't get into situations for which she > would be completely and totally unprepared (and in serious > danger). She lacks the lan

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Behalf Of Jim Manico [...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? > I again come back to James McGovern's suggestion, which is treating coding as an art rather than a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Benjamin Tomhave wrote: > First, security in the software development concept is at least an > intermediate concept, if not advanced. Riffing on Brad's comments, it > seems irrational to think that you can jump straight from structural > basics with which many students struggle (OO anybody?) direct

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

p.com] Sent: Tuesday, August 25, 2009 8:16 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I'm mostly a lurker here, and I'm a practitioner rather than a professional educator, but there's a viewpoint I haven't seem much of that I

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

698.7454 goertzel_ka...@bah.com From: Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Wednesday, August 26, 2009 12:27 AM To: Goertzel, Karen [USA] Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Goertze

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Brad Andrews writes... > I had proofs in junior high Geometry too, though I do not recall using > them outside that class. I went all the way through differential > equations, matrix algebra and probability/statistics and I don't > recall much focus on proofs. This was in the early 1980s in a go

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

"So many mistakes have been made in generations before mine that we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure." Th

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Matt Bishop wrote: > > And that's an artifact of a lack of resources for the type of grading. > Give classes the support to do this, and I suspect you'd see people get > in the habit of writing better code. Better, use students and people > from industry who know this stuff to staff a clinic analo

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Ben, Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 Brings back memories -- the first day on the job as a summer intern I had to track down a bug in a UNIX device driver. Turned out the optimizer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

uebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 > 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; > sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding > Belong In the Curriculum? > > On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen > [USA] wrote: &

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Matt Bishop wrote: > > Instead, what you can do is frame the issues as "good programming". When > teaching for loops, teach the idea of a "limit" (upper and lower > bounds). Then when you get to arrays, it's natural to discuss bounds > checking in the context of iteration (I don't phrase it that w

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

> I again come back to James McGovern's suggestion, which is treating coding as an art rather than a science Keep your Picasso out of my coding shop, world of discrete mathematics and predicate logic! I don't care how cheap his hourly is. :) I'd prefer to think of coders as craftsman; we cert

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

> From: Andy Steingruebl [stein...@gmail.com] > Sent: Tuesday, August 25, 2009 1:14 PM > To: Goertzel, Karen [USA] > Cc: Benjamin Tomhave; sc-l@securecoding.org > Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? > > On Tue

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I'm mostly a lurker here, and I'm a practitioner rather than a professional educator, but there's a viewpoint I haven't seem much of that I want to support, namely: Exploits are FUN. Teach from that angle, and I think you'll get more traction. I've given a fair number of "basic security" t

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

James McGovern wrote... > - Taking this one step further, how can we convince > professors who don't > teach secure coding to not accept insecure code from their students. > Professors seed the students thinking by accepting anything > that barely > works at the last minute. Universities need to b

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

..@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) [james.mcgov...@thehartford.com] Sent: Tuesday, August 25, 2009 2:09 PM To: Secure Code Mailing List Subject: [SC-L] Where Does Sec

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the K&R style of indentation for example continue to use it as their de

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

While part of me agrees with that in principle, I am not so sure in practice. I have found many of the students I have struggle with just getting the basic structures down, not anything fancy. The class is not taught at an elite university, but more "for the masses" though, but isn't tha

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good school (Illinois),

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, 25 Aug 2009, Benjamin Tomhave wrote: > We should be seeking to innovate outside the box - change the rules of > the game dramatically - rather than trying to work within the arbitrary > constructs we've placed around ourselves. Insert obligatory OWASP ESAPI praise here. The Enterprise S

[SC-L] Where Does Secure Coding Belong In the Curriculum?

There are several perspectives missing from the dialog: - Before we even talk about secure coding, we need a course on secure thinking. Most folks are indoctrinated into thinking positive which blinds them from seeing vulnerabilities right in front of them. A prereq on being antisocial might be a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA] wrote: >

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA] wrote: > For consistency's sake, I hope you agree that if security is an > intermediate-to-advanced concept in software development, then all the other > "-ilities" ("goodness" properties, if you will), such as quality, > reliability, usabil

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 17:25, Benjamin Tomhave wrote: You cannot teach advanced grammar to a student with no language skills. I have excellent language skills (after my gaffe with the word "student" on this very list, I should perhaps add "in my mother tongue"), but you still couldn't teach

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

3.698.7454 > goertzel_ka...@bah.com > > From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf > Of Benjamin Tomhave [list-s...@secureconsulting.net] > Sent: Monday, August 24, 2009 8:35 PM > To: sc-l@securecodin

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Ben, First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that brid

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 18:07, Andy Steingruebl wrote: really? First graders are learning to do math proofs instead of basic addition? I'm quite surprised by this. Yeah, sorry. When I wrote about "students" I meant "college students". I don't know, is that a difference between British Englis

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, Aug 25, 2009 at 4:09 AM, Stephan Neuhaus wrote: > > On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: > >> First, security in the software development concept is at least an >> intermediate concept, if not advanced. > > Not at all. That would be like saying that correctness is also an adva

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote: You don't teach proofs - not really. The elementary and junior high curriculum generally does not contain anything about proofs I was talking about college students because that's when I was properly taught programming. That may no longer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Stephan Neuhaus wrote: > > and deploy software. I see no reason why teaching to think about > assumptions should be deferred. You teach math students how to do proofs > right from the beginning for essentially the same reasons :-) > You don't teach proofs - not really. The elementary and junior h

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

___ From: > sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On > Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: > Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: > Re: [SC-L] Where Does Secure Coding Be

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Cur

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that correctness is also an advanced concept, because it gets in the way of coding. Security is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Brad Andrews wrote: > But we are not talking about separate classes. The assertion (which I > probably clipped, sorry) was that it should be woven into the > curriculum. I was noting where and how to do so, starting in the > intro level classes. Just telling a starting programmer to properly > c

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Brad Andrews wrote: > Has anyone who holds to this taught a beginning level programming > class? Getting students to understand what a loop is can be hard > enough, given limited time. Diving into exploits and buffer overflows > can be much more difficult. Getting into exploits at this level is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Andy Steingruebl wrote: > I think our real question isn't just how to reach the "professional" > programmer trained via formal training programs, but also how to reach > the "amateur" programmer trained via books, trial+error, etc. > > One area here is making sure examples are done correctly. T

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Are there any industry metrics that indicate what percentage of full-time software developers actually learned coding in a university setting? I actually learned in high-school, focused on business administration in college (easiest major on the planet) and learned/matured on the job. Likewise, I

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

But we are not talking about separate classes. The assertion (which I probably clipped, sorry) was that it should be woven into the curriculum. I was noting where and how to do so, starting in the intro level classes. Just telling a starting programmer to properly check input length is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I was thinking of a beginner-level programming class. I have and it can be a challenge, especially if they don't have the "programming mindset". Even if they do, you don't have the time for the things you spoke about. You are focusing on basic coding constructs first. :) -- Brad Andr

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 21, 2009, at 17:51, Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? I have. I taught a security class to undergrads. It was easier than I thought, at least the basics were. I got them excited by a "let's try to break things" attitude.

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the "Hello World!" or Mortgage Calculator program level seems quite difficult. I am not so sure. Granted an entry level programmer is going to be an expert, but they can be pretty effective

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Neil, I teach two software security classes at Carnegie Mellon: CS 15392 Secure Programming - Undergraduate Computer Science https://www.securecoding.cert.org/confluence/display/sci/S08+15392+Secure+Programming INI 14735 Secure Software Engineering - Graduate Course in Information Networkin

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. I am sure some things could be put into a basic class, but

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Karen Goertzel wrote... > I think we need to start indoctrinating kids in the womb. Start selling Baby > Schneier CDs alongside Baby Mozart. :) Yeah, I can hardly wait to hear Schneier's remake of that Dr. Seuss children's classic One Fish, Twofish, Red Fish, Blowfish -kevin -- Kevin W.

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I think we need to start indoctrinating kids in the womb. Start selling Baby Schneier CDs alongside Baby Mozart. :) I can recommend this book, it was given to me by a client. Enigma: A Magical Mystery "Grade 3–6—Someone has stolen the props belonging to the residents of a retirement home

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatall wrote: > Inspired by the "What is the size of this list?" discussion, I decided I > won't be a lurker :) > > A question prompted by > http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html > and the OWASP podcast mentions > > So

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Gary wrote: "He and I discuss the notion of education versus training at length" And I don't want to bring up the discussion of the difference, however it does get me to think. In CS, we do a lot of Math, but programming is not like Math. Math is easy to verify if it is done correctly. But in pr

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

n-ci...@comcast.net] Sent: Friday, August 21, 2009 8:17 AM To: Secure Coding Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Neil Matatall wrote: > So where does secure coding belong in the curriculum? > > Higher Ed? High School? > > Undergrad? Grad? Extension?

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Neil Matatall wrote: > So where does secure coding belong in the curriculum? > > Higher Ed? High School? > > Undergrad? Grad? Extension? Secure coding needs to be taught anytime programing is taught. >From my experience in my son's boy scout troop, I'm not sure I'd call it out as security and co

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

de Mailing List Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of "Software Security" <http://swsec.com>. Remember, this list wa

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

oding.org [sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw [...@cigital.com] Sent: Thursday, August 20, 2009 2:55 PM To: Neil Matatall; Secure Code Mailing List Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of un

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Karen Goertzel wrote... > I'm more devious. I think what needs to happen is that we > need to redefine what we mean by "functionally correct" or > "quality" code. If determination of functional correctness > were extended from "must operate as specified under expected > conditions" to "must operat

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Goertzel, Karen [USA] wrote: > If determination of functional correctness were extended from "must > operate as specified under expected conditions" to "must operate as > specified under all conditions", functional correctness would necessarily > require security, safety, fault tolerance, and all

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Wanted to introduce another worst practice in terms of Universities vs Enterprises that isn't about curriculum but is about knowledge of secure coding. There are user groups such as OWASP where topics such as secure coding are frequently discussed. These events are 100% free to attend and are fille

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of "Software Security" . Remember, this list was created in 2006, and lots of other universities have jumped on the bandwagon since then. * University of C

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I'm more devious. I think what needs to happen is that we need to redefine what we mean by "functionally correct" or "quality" code. If determination of functional correctness were extended from "must operate as specified under expected conditions" to "must operate as specified under all conditi

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Thu, 20 Aug 2009 11:07:12 -0400 "McGovern, James F (HTSC, IT)" wrote: > Here is where my enterpriseyness will show. I believe the answer to the > question of where secure coding belongs in the curiculum is somewhat > flawed and requires addressing the curiculum holistically. > > If you go to

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Wed, Aug 19, 2009 at 5:15 PM, Neil Matatall wrote: > So where does secure coding belong in the curriculum? I think secure coding should be taught at the same time that coding is taught. There are aspects of security that can be taught from the beginning, such as input validation and error han

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Here is where my enterpriseyness will show. I believe the answer to the question of where secure coding belongs in the curiculum is somewhat flawed and requires addressing the curiculum holistically. If you go to art school, you are required to study the works of the masters. You don't attempt to

[SC-L] Where Does Secure Coding Belong In the Curriculum?

Inspired by the "What is the size of this list?" discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html and the OWASP podcast mentions So where does secure coding belong in the curriculum? Higher Ed