Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread Wall, Kevin
Ben Tomhave wrote: Wall, Kevin wrote: I don't mean to split hairs here, but I think fundamental concept vs intermediate-to-advanced concept is a red herring. In your case of you teaching a 1 yr old toddler, NO is about the only thing they understand at this point. That doesn't imply

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
Yet another perspective. I believe that this question may be somewhat flawed as it doesn't take into consideration certain demographic challenges. Right now the model seems to be based on either being academic (sitting through a semester of some old fog with no real-world experience blabbering

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
. End of discussion... From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Jim Manico [...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Andy Murren
Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the KR style of indentation for example continue to use it as their

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) [james.mcgov...@thehartford.com] Sent: Tuesday, August 25, 2009 2:09 PM To: Secure Code Mailing List Subject: [SC-L] Where Does Secure Coding Belong

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
James McGovern wrote... - Taking this one step further, how can we convince professors who don't teach secure coding to not accept insecure code from their students. Professors seed the students thinking by accepting anything that barely works at the last minute. Universities need to be

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Pravir Chandra
: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote: Instead, what you can do is frame the issues as good programming. When teaching for loops, teach the idea of a limit (upper and lower bounds). Then when you get to arrays, it's natural to discuss bounds checking in the context of iteration (I don't phrase it that way, of

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Associate 703.698.7454 goertzel_ka...@bah.com From: Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Matt Bishop
Ben, Let's just hope that the code isn't compiled with -O3 or similar, creating an unintended bug. :) http://isc.sans.org/diary.html?storyid=6820 Brings back memories -- the first day on the job as a summer intern I had to track down a bug in a UNIX device driver. Turned out the optimizer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote: And that's an artifact of a lack of resources for the type of grading. Give classes the support to do this, and I suspect you'd see people get in the habit of writing better code. Better, use students and people from industry who know this stuff to staff a clinic analogous

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Bennett, Jason
So many mistakes have been made in generations before mine that we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure.

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
Brad Andrews writes... I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Kenneth Van Wyk
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
...@bah.com From: Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Wednesday, August 26, 2009 12:27 AM To: Goertzel, Karen [USA] Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] wrote: We

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
, August 25, 2009 8:16 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I'm mostly a lurker here, and I'm a practitioner rather than a professional educator, but there's a viewpoint I haven't seem much of that I want to support, namely: Exploits

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
[...@manico.net] Sent: Tuesday, August 25, 2009 11:17 PM To: Benjamin Tomhave Cc: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? I again come back to James McGovern's suggestion, which is treating coding as an art rather than a science Keep your Picasso out of my

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that correctness is also an advanced concept, because it gets in the way of coding. Security is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Goertzel, Karen [USA]
...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Two quick comments in catching up on the thread

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus
On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote: You don't teach proofs - not really. The elementary and junior high curriculum generally does not contain anything about proofs I was talking about college students because that's when I was properly taught programming. That may no longer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Andy Steingruebl
On Tue, Aug 25, 2009 at 4:09 AM, Stephan Neuhausstephan.neuh...@disi.unitn.it wrote: On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus
On Aug 25, 2009, at 18:07, Andy Steingruebl wrote: Sarcasmreally? First graders are learning to do math proofs instead of basic addition? I'm quite surprised by this./Sarcasm Yeah, sorry. When I wrote about students I meant college students. I don't know, is that a difference between

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Matt Bishop
Ben, First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Pete Werner
Of Benjamin Tomhave [list-s...@secureconsulting.net] Sent: Monday, August 24, 2009 8:35 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Two quick comments in catching up on the thread... First, security in the software development concept

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Goertzel, Karen [USA]
1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave; sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: For consistency's sake, I hope you agree that if security

[SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread McGovern, James F (HTSC, IT)
There are several perspectives missing from the dialog: - Before we even talk about secure coding, we need a course on secure thinking. Most folks are indoctrinated into thinking positive which blinds them from seeing vulnerabilities right in front of them. A prereq on being antisocial might be a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews
I was thinking of a beginner-level programming class. I have and it can be a challenge, especially if they don't have the programming mindset. Even if they do, you don't have the time for the things you spoke about. You are focusing on basic coding constructs first. :) -- Brad

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews
But we are not talking about separate classes. The assertion (which I probably clipped, sorry) was that it should be woven into the curriculum. I was noting where and how to do so, starting in the intro level classes. Just telling a starting programmer to properly check input length

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread McGovern, James F (HTSC, IT)
Are there any industry metrics that indicate what percentage of full-time software developers actually learned coding in a university setting? I actually learned in high-school, focused on business administration in college (easiest major on the planet) and learned/matured on the job. Likewise, I

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Mike Lyman
Andy Steingruebl wrote: I think our real question isn't just how to reach the professional programmer trained via formal training programs, but also how to reach the amateur programmer trained via books, trial+error, etc. One area here is making sure examples are done correctly. The

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Mike Lyman
Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. Getting into exploits at this level is

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread SC-L Reader Dave Aronson
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Wall, Kevin
Karen Goertzel wrote... I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Goertzel, Karen [USA]
-boun...@securecoding.org] On Behalf Of Gary McGraw [...@cigital.com] Sent: Thursday, August 20, 2009 2:55 PM To: Neil Matatall; Secure Code Mailing List Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of universities with some

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Neil Matatall
: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software Security http://swsec.com. Remember, this list was created in 2006, and lots of other universities

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Mike Lyman
Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime programing is taught. From my experience in my son's boy scout troop, I'm not sure I'd call it out as security and confuse

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Goertzel, Karen [USA]
: Friday, August 21, 2009 8:17 AM To: Secure Coding Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Andy Steingruebl
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html and the OWASP podcast

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Gunnar Peterson
I think we need to start indoctrinating kids in the womb. Start selling Baby Schneier CDs alongside Baby Mozart. :) I can recommend this book, it was given to me by a client. Enigma: A Magical Mystery Grade 3–6—Someone has stolen the props belonging to the residents of a retirement home

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Brad Andrews
Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. I am sure some things could be put into a basic class,

[SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread Neil Matatall
Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread McGovern, James F (HTSC, IT)
Here is where my enterpriseyness will show. I believe the answer to the question of where secure coding belongs in the curiculum is somewhat flawed and requires addressing the curiculum holistically. If you go to art school, you are required to study the works of the masters. You don't attempt

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread Goertzel, Karen [USA]
I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions,

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread Gary McGraw
hi neil, For what it's worth, there is a list of universities with some kind of software security curriculum on page 98 of Software Security http://swsec.com. Remember, this list was created in 2006, and lots of other universities have jumped on the bandwagon since then. * University of