While no customer is likely to say they don't care about software
working now that we are past Y2K, they don't think about it at all and
are unlikely to allow any schedule slippage to allow for making sure
that is true.
Customers only really care about the things they will pay for. Many
This brings up a great point. How can we grade a program's security
level? Is it just a checkoff list? Which elements should be in that
checkoff list?
The worst part of teaching is grading papers (programs are a close
second). Making that more complicated is not likely to work. I
a
Neil,
I teach two software security classes at Carnegie Mellon:
CS 15392 Secure Programming - Undergraduate Computer Science
https://www.securecoding.cert.org/confluence/display/sci/S08+15392+Secure+Programming
INI 14735 Secure Software Engineering - Graduate Course in Information
Networkin
hi sc-l,
The 41st epsiode of Silver Bullet just went live. This episode features a
conversation with Fred Schneider, a computer sceince professor at Cornell and a
very important thought leader in security research. Fred was the author of the
seminal National Academies study "Trust in Cyberspa
Wanted to introduce another worst practice in terms of Universities vs
Enterprises that isn't about curriculum but is about knowledge of secure
coding. There are user groups such as OWASP where topics such as secure
coding are frequently discussed. These events are 100% free to attend
and are fille
Goertzel, Karen [USA] wrote:
> If determination of functional correctness were extended from "must
> operate as specified under expected conditions" to "must operate as
> specified under all conditions", functional correctness would necessarily
> require security, safety, fault tolerance, and all
Karen Goertzel wrote...
> I'm more devious. I think what needs to happen is that we
> need to redefine what we mean by "functionally correct" or
> "quality" code. If determination of functional correctness
> were extended from "must operate as specified under expected
> conditions" to "must operat
Karen, Matt & all,
Goertzel, Karen [USA] wrote:
> I'm more devious. I think what needs to happen is that we need to redefine
> what we mean by "functionally correct" or "quality" code. If determination of
> functional correctness were extended from "must operate as specified under
> expected co
Here's an extract from the Information Assurance Technology Analysis Center
(part of DTIC) "Software Security Assurance: A State of the Art Report"
(http://iac.dtic.mil/iatac/download/security.pdf):
Courses on secure software development, secure programming, etc., typically
begin by introducing
Everyone,
Thank you for all of the input. Really. This information has been
extremely helpful!
Neil
Goertzel, Karen [USA] wrote:
Here's an extract from the Information Assurance Technology Analysis Center (part of
DTIC) "Software Security Assurance: A State of the Art Report"
(http://ia
A colleague and I have been looking at the problem a bit, in the context of
need for survivability in safety-critical systems. Below is an extract of the
paper "Software Survivability: Where Safety and Security Converge" authored by
Larry Feldman, Ph.D., and myself, and presented by our colleagu
I spent a fair bit of time doing stuff relating to voting systems,
which all have embedded systems. (I am not one of the experts who
pulls them apart, lest anyone think I'm claiming credit for them.)
They are supposedly closed systems, but every time someone competent
has tried to attack them, the
Let me amplify what Matt Bishop has said.
I tend to deal with TRUSTWORTHINESS, which encompasses
security, reliability, survivability, human safety, and anything
else that you have to trust whether you like it or not.
Security is only one aspect of it. Long ago Butler Lampson
wrote a paper pointin
Thank you for all the info you guys have sent, it has been very
informative... :)
It is harder to steal the source (you need more electronical knowledge
and expensive debuggers and stuff) but it is possible... Do you guys
know some pages with security tips for embedded systems?
_
Interesting. My definition of "secure" is for software is "dependable,
trustworthy, and survivable (or, if you prefer, resilient)", i.e.,
(1) It's got to behave correctly and predictably;
(2) It's got to behave non-maliciously and also not be subvertible (i.e., no
weaknesses that can be explo
Neil Matatall wrote:
> So where does secure coding belong in the curriculum?
>
> Higher Ed? High School?
>
> Undergrad? Grad? Extension?
Secure coding needs to be taught anytime programing is taught.
>From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and co
Martin Gilje Jaatun wrote:
> Karen, Matt & all,
>
> Goertzel, Karen [USA] wrote:
> > I'm more devious. I think what needs to happen is that we
> need to redefine what we mean by "functionally correct" or
> "quality" code. If determination of functional correctness
> were extended from "must o
We looked at the problem of voting system security specifically in the context
of insider threat for last year's IATAC State of the Art Report on the Insider
Threat to Information Systems - some of which involved "rogue" developers
engineering backdoors into such systems. Unfortunately the docum
I think we need to start indoctrinating kids in the womb. Start selling Baby
Schneier CDs alongside Baby Mozart. :)
Seriously, though, cyberspace is such an integral part of modern life, parents
need to inculcate online security into their toddlers the same way they teach
them to look both ways
Actually CJC, it's often even worse than that. In many cases, the customer or
consumer has an implicit requirement for security that remains unstated. Only
when the system fails and is successfully attacked does that requirement shift
from implicit to explicit. "You mean it wasn't secure?? Y
Gary wrote:
"He and I discuss the notion of education versus training at length"
And I don't want to bring up the discussion of the difference, however
it does get me to think.
In CS, we do a lot of Math, but programming is not like Math. Math is
easy to verify if it is done correctly. But in pr
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatall wrote:
> Inspired by the "What is the size of this list?" discussion, I decided I
> won't be a lurker :)
>
> A question prompted by
> http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
> and the OWASP podcast mentions
>
> So
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
"Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
I completely agree with your final statement Karen, but I see a lot
more of the words aiming at the 100% mark and I think that is
ultimately a bad focus since it is unachievable and therefore will
waste focus and effort.
While on paper we can "prove" programs are bug free (security-relate
Karen Goertzel wrote...
> I think we need to start indoctrinating kids in the womb. Start selling Baby
> Schneier CDs alongside Baby Mozart. :)
Yeah, I can hardly wait to hear Schneier's remake of that Dr. Seuss children's
classic
One Fish, Twofish, Red Fish, Blowfish
-kevin
--
Kevin W.
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
I am sure some things could be put into a basic class, but
I completely agree, though how are we really going to reach this
point? We have been talking about this at least since I got into
development in the early 1980s. We are not anywhere closer, though we
have lots of neat tools that do lots of neat stuff. Unfortunately,
our programs are al
27 matches
Mail list logo