Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread Wall, Kevin
Ben Tomhave wrote:
 Wall, Kevin wrote:
 
  I don't mean to split hairs here, but I think fundamental concept
  vs intermediate-to-advanced concept is a red herring. In your case
  of you teaching a 1 yr old toddler, NO is about the only thing
  they understand at this point. That doesn't imply that concepts like
  street are intermediate-to-advanced. It's all a matter of perspective.
  If you are talking to someone with a Ph.D. in physics about partial
  differential equations, PDEs *are* a fundamental concept at that level
  (and much earlier in fact). The point is, not to argue semantics, but
  rather to teach LEVEL-APPROPRIATE concepts.
 
 I think you do mean to split hairs, and I think you're right to do so.
 Context is very important. For example, all this talk about
 where to fit secure coding into the curriculum is great, but it also
 ignores the very arge population of self-taught coders out there,
 as well as those who learn their craft in a setting other than a
 college or university. Ergo, it still seems like we're talking at
 ends about an issue that, while important, is still only at best a
 partial solution.

Of course it's only a partial solution and I think you raise some
very valid concerns. Normally, I wouldn't consider the self-taught
in a discussion of where does secure coding belong in the CURRICULUM,
but we can't ignore that 800 lb gorilla either. That of course is a
much harder challenge. I suppose in some sense we should expect / hope
that these same concepts that we've been discussing are addressed in
the numerous books, periodicals, web sites, etc. where most of this
learning happens. But that's probably much more difficult sitation to
change...more of a wild, wild west in comparison to academia.

Ultimately, most sane people act in accordance with that they are
rewarded for doing things correct and disciplined for doing wrong.
In academia, we can do this with grades for students, pay and/or tenure
or other perks for professors / lecturers, etc. But once we get into
books and magazines realm, we have to look for the publishers to
reward / discipline appropriately and IMO they don't necessarily have
the same drivers as to academia.  Many publishers seem to be more
concerned with just making a quick $$ rather than being accurate
or thoroughly training people to do things correctly. (How else can you
explain books explain tabloids, unless you subscribe to the MiB theory.
And IMHO, there are plenty of tabloid-like publishers writing
books in the programming field, but I digress.) Getting back to my
point, you don't have that less control for someone putting up
their own educational web pages that profess to teach programming
to which many of the self-educated seem to rely on. There are plenty
good ones, but most I've seen seem to be oblivious to secure coding
practice (w/ exception of security-related sites such as OWASP, etc.)

So it's only things like reputation, and ultimately market
pressures that force any corrective actions in regards to publishers
of written and web material. Add to that the problem that BECAUSE
these people are self-taught, the generally don't have someone to
provide guidance to separate the wheat from the chaff like instructors
hopefully do with their students.

But if self-taught programmers are the 800 pound gorilla, then corporate
business is the 4 ton elephant.  If anything, I would say that
addressing the pressures that seem to be on corporate programmers that
come to bear _against_ secure coding practice (although unintentionally)
is the MUCH BIGGER problem. (Most people go into CS to move into industry
after all, not to stay and teach/research in academia.)

Most businesses rate secure code as a very low need and to emphasize
time-to-market (which presumably has a direct correlation to market share,
or so we've been told) over everything else. IMHO, that leads to more
slip-shod code than any other single factor. Adding defensive code to
make it more robust against attacks takes additional time, which on
large projects can be quite significant. To make matters worse, many
IT shops in the USA seem to reward the how fast can you crank out code
(no matter how insecure) over the how good of quality do you deliver
mentality. What is rewarded in IT shops is quantity of LOC cranked out
each week (wrongly widely perceived as equivalent to productivity)
over quality (less buggy code, which I believe correlates well less
vulnerabilities).

I have no sour grapes here--never wanted to move into management--yet
over my 30+ years in industry (mostly telecom), I've seen the fast get
rewarded, transfer to another project before things crash-and-burn, and
then go on to get promoted to some management position. And then they
continue to act this was as managers because that's what got them there.

Let's face it, the IT industry in the USA is one huge dysfunctional family.

So, I think *that's* why we've been focusing on formal education. There is a
chance, a glimmer of 

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
Yet another perspective. I believe that this question may be somewhat
flawed as it doesn't take into consideration certain demographic
challenges. Right now the model seems to be based on either being
academic (sitting through a semester of some old fog with no real-world
experience blabbering theory) or in the professional world and their
ability to bring in consultants to perform in-house training (in a
highly constrained time crunch).

So, if you are an employee of a small software company, how do you learn
to write secure code? Academia hasn't yet adjusted to the modern world
of professionals where education needs to be a component in work/life
balance and not an impediment to it and therefore this isn't really an
option for the masses. Likewise, if you aren't employed by a large
enterprise with a training budget that can hire all these training firms
that want to do onsite classes for dozens of employees, you are left
with reading lots of books on your free time, a few OWASP TV videos and
google.

One of the more interesting experiences that I had was that a professor
at RPI uses one of the books I am the lead author for in his class. If I
wanted to be a guest lecturer, this would be no problem, yet if I wanted
to get credit for the course, I would actually have to sit through the
entire thing which would be as interesting as watching paint dry. I have
on several occasions made the offer that I will pay for all fees for a
given course upfront and I want to take the final exam. If I did not
score 100% you could fail me and still no university would take my
offer.

We got to find a balance between one-day train the world in corporate
America and months upon months of mind-numbling indoctrination that
universities push if we are to truly conquer the challenge of secure
coding.


This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
 

We are NOT craftsmen by any stretch of the imagination. If you have ever
worked in a large enterprise, the ability to change roles and be fluid
in one's career is rewarding yet has unintended consequences.

If I went to my boss tomorrow and said that I no longer want to be an
architect and instead want some experience managing a project, what
training do you think I will be afforded before I actually get to
project manage a large initiative? For that matter I am an architect,
what training do you think I have received? 

Much of my daily job is art where all of about ten minutes requires
craftsmanship. We need to stop being delusional and thinking that us IT
folks are bound by ANY principle. If you find a single principle taught
in a university setting that hasn't been waived in a corporate
environment at one time or another, I sure would love to know what that
is.

We are artists. End of discussion...


From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On
Behalf Of Jim Manico [...@manico.net]
Sent: Tuesday, August 25, 2009 11:17 PM
To: Benjamin Tomhave
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

 I again come back to James McGovern's suggestion, which is treating
coding as an art rather than a science

Keep your Picasso out of my coding shop, world of discrete mathematics
and predicate logic! I don't care how cheap his hourly is. :)

I'd prefer to think of coders as craftsman; we certainly are not
artists, scientists or engineers. ;) And craftsman are bound by the laws
of mathematics and the sponsors who pay us, artists have no bounds.

- Jim


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___

This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Andy Murren
Personally I think secure coding should be included in the entire
curriculum irrespective of the level. People learn habits early on
that they tend to carry for as long as they are programmers. How many
programmers that learned the KR style of indentation for example
continue to use it as their default style even when they have learned
new languages.

Having just done a quick survey of the programming books on my shelves
I don't find security or secure coding covered much if at all. I doubt
that is because some business guy came down to the author and told him
to excise security from the book. If basic security and secure coding
practices are not integrated into programming from the beginning it is
an add on, and hence not a natural component of the (art|science) of
programming and much easier to skip.

I have started teaching my 12 year old son C programming at home. We
started off with a basic Hello World, then added his name as a
variable, then a loop to print different names, then added the ability
to take the name as input from the command line. At each step we added
in a bit of exception handling, and once we got to user input data we
added basic data and input validation. Each new version of the program
had a test plan and had to handle exceptions. This is a very simple
example and is not something production ready, but every step showed
him how to program without leaving security out.

In my opinion, any educational program that deals with computers or
networks should have security and secure coding woven into it. The
amount and type of secure coding depends on the subject. A management
class that calculates costs and ROI of a project should have metrics
for the cost of security or robustness failures. Networking classes
should have secure configuration integrated. Software
engineering/design would need to have appropriate modules on
encryption, identity management, etc, etc.

In the end I think the question should be: Is there a place where
does security and secure coding NOT belong in a curriculum?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Not so much anti-social as untrusting, supicious, and paranoid. Actually, being 
highly social could provide an excellent cover to fool the bad guys into 
thinking one is a lot less security-savvy than one actually is.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of McGovern, James F (HTSC, IT) [james.mcgov...@thehartford.com]
Sent: Tuesday, August 25, 2009 2:09 PM
To: Secure Code Mailing List
Subject: [SC-L] Where Does Secure Coding Belong In the Curriculum?

There are several perspectives missing from the dialog:

- Before we even talk about secure coding, we need a course on secure
thinking. Most folks are indoctrinated into thinking positive which
blinds them from seeing vulnerabilities right in front of them. A prereq
on being antisocial might be a good start
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
James McGovern wrote...

 - Taking this one step further, how can we convince
 professors who don't
 teach secure coding to not accept insecure code from their students.
 Professors seed the students thinking by accepting anything
 that barely
 works at the last minute. Universities need to be consistent amongst
 their own teaching/thinking.

Well, actually, I think that what Matt Bishop wrote in his response to
Benjamin Tomhave is the key:

 But in introductory classes, I tend to focus on what I am calling
 robust above; when I teach software security, I focus on
 both, as I consider robustness part of security.

 By the way, you can do this very effectively in a beginning
 programming class. When I taught Python, as soon as the students got
 to basic structures like control loops (for which they had to do
 simple reading), I showed them how to catch exceptions so that they
 could handle input errors. When they did functions, we went into
 exceptions in more detail. They were told that if they didn't handle
 exceptions in their assignments, they would lose points -- and the
 graders gave inputs that would force exceptions to check that
 they did.

 Most people got it quickly.

That is, Matt suggested a direct reward / punishment. Specifically, if
the students don't account for bad input via exceptions or some other
suitable mechanism, the simply loose points.

Matt's right. If it boils down to grades, most students will get it, and
fast.

And whether we call this secure-coding, robustness, or simply correctness,
it's a start.

I think that too many people when they hear that we need to start teaching
security at every level of CS are thinking of more complicated things like
encryption, authentication protocols, Bell-LaPadula, etc. but I don't think
that was where the thrust of this thread was leading.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
kevin.w...@qwest.comPhone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Pravir Chandra
The playing in traffic example is one extreme end of the spectrum. A
good analogy for the other end might be physics where you just teach
Newtonian theory it as if it were 100% accurate and then, if the
student decides to take a relativistic physics class, you teach them
on day 1 that everything they know isn't right. It seems teaching
secure programming must lie somewhere between these two ends of the
spectrum.

Perhaps a more useful exercise (rather than debating where in the
gradient through metaphor) is to try to enumerate the variables that
play into what draws a topic toward one end or the other. Such
variables might include:
 * stickiness of the bias/habits acquired as you learn more
 * impetus to learn more
 * ability/access to learn more

Just a thought.

p.


On 8/25/09, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote:
 We teach toddlers from the time they can walk that they shouldn't play in
 traffic. A year or two later, we teach them to look both ways before
 crossing the street. Even later - usually when they're approaching their
 teens, and can deal with grim reality, we give examples that illustrate
 exactly WHY they needed to know those things.

 But that doesn't mean we wait until the kids are 11 or 12 to tell them
 shouldn't play in traffic.

 There has to be some way to start introducing the idea even to the rawest of
 raw beginning programming students that good is much more desirable than
 expedient, and then to introduce the various properties that collectively
 constitute good - including security.

 Karen Mercedes Goertzel, CISSP
 Associate
 703.698.7454
 goertzel_ka...@bah.com
 
 From: Andy Steingruebl [stein...@gmail.com]
 Sent: Tuesday, August 25, 2009 1:14 PM
 To: Goertzel, Karen [USA]
 Cc: Benjamin Tomhave; sc-l@securecoding.org
 Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

 On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
 [USA]goertzel_ka...@bah.com wrote:
 For consistency's sake, I hope you agree that if security is an
 intermediate-to-advanced concept in software development, then all the
 other -ilities (goodness properties, if you will), such as quality,
 reliability, usability, safety, etc. that go beyond just get the bloody
 thing to work are also intermediate-to-advanced concepts.

 In other words, teach the goodness properties to developers only after
 they've inculcated all the bad habits they possibly can, and then, when
 they are out in the marketplace and never again incentivised to actually
 unlearn those bad habits, TRY desperately to change their minds using
 nothing but F.U.D. and various other psychological means of dubious
 effectiveness.

 Seriously?  We're going to teach kids in 5th grade who are just
 learning what an algorithm is how to protect against malicious inputs,
 how to make their application fast, handle all exception conditions,
 etc?

 ...
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___



-- 
~ ~  ~ ~~~ ~~ ~
Pravir Chandra  chandraatlistdotorg
PGP:CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~  ~ ~
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote:
 
 Instead, what you can do is frame the issues as good programming. When
 teaching for loops, teach the idea of a limit (upper and lower
 bounds). Then when you get to arrays, it's natural to discuss bounds
 checking in the context of iteration (I don't phrase it that way, of
 course). When you grade, you check for it. Presto! Now you have taught
 what is commonly considered a security requirement without ever
 mentioning the word security.
 
I would agree with this, as I think it again syncs with what James
McGovern talked about earlier, too. A graduated approach to secure
coding (for whatever definition we might insert) is the only logical
progression. However, as you conceded, we have to be very careful just
how much we introduce and when. I remember the disconnect in the mid-90s
when the CompSci curriculum switched to OO. Some of us got caught in the
blender where our first CS class was non-OO and our 2nd class was
suddenly all OO and we didn't know what the heck was going on. It seems
we're perhaps still in this transitional state to a large part.

 By the way, you can do this very effectively in a beginning programming
 class. When I taught Python, as soon as the students got to basic
 structures like control loops (for which they had to do simple reading),
 I showed them how to catch exceptions so that they could handle input
 errors. When they did functions, we went into exceptions in more detail.
 They were told that if they didn't handle exceptions in their
 assignments, they would lose points -- and the graders gave inputs that
 would force exceptions to check that they did.
 
Let's just hope that the code isn't compiled with -O3 or similar,
creating an unintended bug. :)
http://isc.sans.org/diary.html?storyid=6820

 Most people got it quickly.
 
Getting it and applying it IRL are of course two completely different
things. I still find it somewhat absurd that we even need to have this
discussion still after how many decades of curriculum development? :)

-ben

-- 
Benjamin Tomhave, MS, CISSP
fal...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
Reading is to the mind what exercise is to the body.
Sir Richard Steele
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Goertzel, Karen [USA] wrote:
 We teach toddlers from the time they can walk that they shouldn't
 play in traffic. A year or two later, we teach them to look both ways
 before crossing the street. Even later - usually when they're
 approaching their teens, and can deal with grim reality, we give
 examples that illustrate exactly WHY they needed to know those
 things.
 
Actually, I'm not teaching my 1 yo toddler much of anything about
traffic right now. I'm more playing guardian when she runs around the
house and making sure she doesn't get into situations for which she
would be completely and totally unprepared (and in serious danger). She
lacks the language skills to even marginally understand basic concepts
like street let alone don't play in the street. I think this rather
proves my point that secure coding is not itself a fundamental concept,
but rather an intermediate-to-advanced concept. Matt Bishop's comments
are great, but they've also been applied in a context of higher ed., and
recognize the limits of student understanding at different phases of
development.

-ben

 But that doesn't mean we wait until the kids are 11 or 12 to tell
 them shouldn't play in traffic.
 
 There has to be some way to start introducing the idea even to the
 rawest of raw beginning programming students that good is much more
 desirable than expedient, and then to introduce the various
 properties that collectively constitute good - including security.
 
 Karen Mercedes Goertzel, CISSP Associate 703.698.7454 
 goertzel_ka...@bah.com  From:
 Andy Steingruebl [stein...@gmail.com] Sent: Tuesday, August 25, 2009
 1:14 PM To: Goertzel, Karen [USA] Cc: Benjamin Tomhave;
 sc-l@securecoding.org Subject: Re: [SC-L] Where Does Secure Coding
 Belong In the Curriculum?
 
 On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen 
 [USA]goertzel_ka...@bah.com wrote:
 For consistency's sake, I hope you agree that if security is an
 intermediate-to-advanced concept in software development, then all
 the other -ilities (goodness properties, if you will), such as
 quality, reliability, usability, safety, etc. that go beyond just
 get the bloody thing to work are also intermediate-to-advanced
 concepts.
 
 In other words, teach the goodness properties to developers only
 after they've inculcated all the bad habits they possibly can, and
 then, when they are out in the marketplace and never again
 incentivised to actually unlearn those bad habits, TRY desperately
 to change their minds using nothing but F.U.D. and various other
 psychological means of dubious effectiveness.
 
 Seriously?  We're going to teach kids in 5th grade who are just 
 learning what an algorithm is how to protect against malicious
 inputs, how to make their application fast, handle all exception
 conditions, etc?
 
 ...
 

-- 
Benjamin Tomhave, MS, CISSP
fal...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
That which has always been accepted by everyone, everywhere, is almost
certain to be false.
Paul Valery
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Matt Bishop

Ben,


Let's just hope that the code isn't compiled with -O3 or similar,
creating an unintended bug. :)
http://isc.sans.org/diary.html?storyid=6820


Brings back memories -- the first day on the job as a summer intern I  
had to track down a bug in a UNIX device driver. Turned out the  
optimizer was clobbering a jump -- the driver worked fine unoptimized.  
I quit believing tools like compilers were flaw-free after that!



Most people got it quickly.


Getting it and applying it IRL are of course two completely different
things. I still find it somewhat absurd that we even need to have this
discussion still after how many decades of curriculum development? :)


Oh, I don't -- I think it's all too understandable. A story first, to  
provide some background.


One of my grad students (a security type, of course :-)) was my TA for  
the undergraduate operating systems class. We had the students form  
teams, and each team modified a kernel. The TA then graded  
interactively, asking the students about what they did and why, as he  
went through their code. My TA was appalled at the poor quality of the  
code of most teams -- it worked, but was not robust and was sloppy.  
So, he told each group that if they turned in code that poor the next  
time, he'd deduct 20% on general principles. So what do students do in  
that case? Right -- complain to the professor (me). I said something  
to the effect that I strongly disagreed with the TA, and felt he  
should have handled the situation differently; but since he said he'd  
only take off 20%, instead of the 40% I would have taken off, I'd  
support his decision. The students got the message. On the next  
assignment (and for the res of the class), the code was much better.


This suggests to me the problem is not so much a failure to teach  
robustness; in fact, I suspect most intro to programming teachers do  
mention it (although to different degrees of thoroughness and probably  
not using that name). The *real* problem is that we don't keep  
reinforcing it throughout the student's career.


And that's an artifact of a lack of resources for the type of grading.  
Give classes the support to do this, and I suspect you'd see people  
get in the habit of writing better code. Better, use students and  
people from industry who know this stuff to staff a clinic analogous  
to a writing clinic for English and law schools -- that would  
reinforce it not just for the students, but for the clinic staff as  
well.


Anyone who's interested in this idea can read about a small experiment  
I did in a paper at


http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/

The results of having students use such a clinic, on a very small  
scale, led to some pretty good improvements in their code. The  
problem, of course, is that supporting such a clinic requires a lot of  
people time, and getting people to donate their time, or the resources  
(read: cash) to pay for it, isn't easy.


Matt
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Benjamin Tomhave
Matt Bishop wrote:
 
 And that's an artifact of a lack of resources for the type of grading.
 Give classes the support to do this, and I suspect you'd see people get
 in the habit of writing better code. Better, use students and people
 from industry who know this stuff to staff a clinic analogous to a
 writing clinic for English and law schools -- that would reinforce it
 not just for the students, but for the clinic staff as well.
 
This sounds like an excellent extension for OWASP. :)

-ben

-- 
Benjamin Tomhave, MS, CISSP
fal...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
I hope if dogs ever take over the world and they choose a king, they
don't just go by size, because I bet there are some Chihuahuas with some
good ideas.
Deep Thoughts by Jack Handy
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Bennett, Jason
 
 
So many mistakes have been made in
generations before mine that we are now trapped in a box of our own
making that has us squabbling over academic minutiae like how to teach
secure coding when we should not have to consider this topic at all -
the code itself should be inherently secure.
 
This is the comment that agrees with my own belief. When teaching how to
program secure coding should be seen as inherent in this and not as some
sort of optional add that is only required if the code is supposed to
secure. Many of the techniques are just making the code more robust and
this covers a considerable amount of the problems with code today. I see no
reason that this shouldn't be taught as part of any programming course. Does
this cover all secure coding, no of course not, but unless the foundations
of secure implementation is inherent then more advance issues ar the least
of the communities worries.
Consider the environment before printing this mail.
Thales e-Security Limited is incorporated in England and Wales with company
registration number 2518805. Its registered office is located at 2 Dashwood
Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15
2NX.
The information contained in this e-mail is confidential. It may also be
privileged. It is only intended for the stated addressee(s) and access to it
by any other person is unauthorised. If you are not an addressee or the
intended addressee, you must not disclose, copy, circulate or in any other
way use or rely on the information contained in this e-mail. Such
unauthorised use may be unlawful. If you have received this e-mail in error
please delete it (and all copies) from your system, please also inform us
immediately on +44 (0)1844 201800 or email postmas...@thales-esecurity.com.
Commercial matters detailed or referred to in this e-mail are subject to a
written contract signed for and on behalf of Thales e-Security Limited. 
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
Brad Andrews writes...

 I had proofs in junior high Geometry too, though I do not recall using
 them outside that class.  I went all the way through differential
 equations, matrix algebra and probability/statistics and I don't
 recall much focus on proofs.  This was in the early 1980s in a good
 school (Illinois), so it wasn't just modern teaching methods that were
 too blame.  I am not sure that the proofs were all that useful for
 understanding some things either, though the logic they taught has
 value that I missed a bit of since I did hit some modern techniques.

This may be heading slightly OT, but I don't think your experience
is really that unusual. My BS was a double major in math and physics
and my MS was in CS.

We used proofs in most of my math classes, many of my physics classes,
and several of my CS classes.

Besides the frequency, what varied in each of these was the level of
rigor expected. The proofs in math were extremely rigorous, the ones
in physics less so, and the ones in most of my CS classes would have
been classified as only so much hand waving if they would have been
done in my math classes. But an important thing to note in all of these
courses was, with the exception of very few advanced (senior  grad
level) math classes such as advanced calculus and abstract algebra
and number theory, the use of 'proofs' wasn't the end, but only a
means to the end.

But still 'proofs' were utilized throughout much of this very diverse
coursework to add to the rigor of the logic and presumably to reinforce
understanding and learning.

In the same way, I think that 'security' (or 'robustness' or 'correctness'
or whatever you wish to call it) needs to be CONSISTENTLY blended into the
college and possibly even high school CS curriculum so some element of it
is touched upon in each of the classes and as one progresses it is discussed
more and more. So just as 'proofs' are sprinkled into math, physics, CS,
etc. we need to sprinkle in basic security / robustness concepts such
as:
+ An understanding of what input may be 'trusted' and what inputs
  cannot be trusted leading to the concept of trust boundaries.
+ The concept of correctness extends merely past handling 'correct' input
  and needs to somehow gracefully handle incorrect input as well.
+ Understanding the concept of risk, eventually leading to an understanding
  of risk analysis in upper level CS courses
+ Having an adversarial testing mindset, always thinking how can I 'break'
  this program or system?. (BTW, sad to say, this has probably been the
  hardest thing to teach my colleagues. Some of them seem to get it, and
  some of them never do.)

There are probably others--this is by no means a complete list--but we
need to emphasize that to those instructing CS that this is not going to
take up a significant portion of their coursework nor require a significant
amount of time or effort on there part. Rather it needs to be folded into
the mix as appropriate.

I think back to my days in elementary mathematics. I recall learning at a
very early age, when learning division, that you can't divide by 0. The
explanation given by the teach wasn't in depth, it was more like you are
just not permitted to do that, or occasionally it's undefined without
telling us WHY it's undefined. In a similar manner, we can teach don't
blindly accept unchecked input, etc. And then if that is reinforced in
the grading process I do think it will come through.

Surely if we could just do that much, it would be a good start. But my
observation, based on my CS colleagues that I've taught with and before
that, the CS courses that I've taken at the graduate level, is that
other than the obligatory half hour mention of security in my operating
systems course, I can barely recall it ever even coming up. And I also
seldom recall that instructors would every toss your programs truly
malformed input either. By comparison, when I had an opportunity to
teach a masters level CS course on distributed systems (the Tannenbaum
book), I tossed in matters of security throughout, not just in the
chapters about security. Of course, I don't think until we got to the
chapters about security that the students realized that's what I was
teaching them, but that's OK too. The subliminal methods sometimes
work as well.

-kevin
--
Kevin W. Wall   614.215.4788Application Security Team / Qwest IT
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents.-- Nathaniel Borenstein, co-creator of MIME
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, 

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Kenneth Van Wyk

On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:

Exploits are FUN.


I agree, at least to a point.  Whenever I work exploits into my  
workshops, the results are right on the mark.  So long as the exploits  
are balanced with just the right amount of remediations, it works great.


The key is to hook the students with the exploits, and then sprinkle  
in a now here's how to do it _right_ discussion while they're still  
paying attention.  ;-)


And FWIW, I've found OWASP's WebGoat to be phenomenally effective at  
doing just that.  There are other similar tools out there as well, but  
the point is to give the class a safe sandbox to play in.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Your example is spurious as a refutation of what I was trying to say (as I 
suspect you already know). Obviously you're not going to try to teach a 
not-yet-verbal infant a self-preservation concept that requires even the most 
rudimentary reasoning.

That said, I'll be interested to hear from you in, say, a year and a half from 
now. And I still maintain that the intellectual maturity of a 
two-and-a-half-year-old hardly constitutes intermediate-to-advanced EXCEPT 
possibly when compared with that of a one-year-old.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: Benjamin Tomhave [list-s...@secureconsulting.net]
Sent: Wednesday, August 26, 2009 12:27 AM
To: Goertzel, Karen [USA]
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Goertzel, Karen [USA] wrote:
 We teach toddlers from the time they can walk that they shouldn't
 play in traffic. A year or two later, we teach them to look both ways
 before crossing the street. Even later - usually when they're
 approaching their teens, and can deal with grim reality, we give
 examples that illustrate exactly WHY they needed to know those
 things.

Actually, I'm not teaching my 1 yo toddler much of anything about
traffic right now. I'm more playing guardian when she runs around the
house and making sure she doesn't get into situations for which she...
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
I too remember learning proofs in Jr. High. And I also believe the main 
objective was to teach 12 and 13 year olds that it is possible to apply a 
repeatable, disciplined process to how they approach problem solving. Certainly 
not a worthless lesson, even if the mathematics involved are never used again.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Brad Andrews [andr...@rbacomm.com]
Sent: Tuesday, August 25, 2009 4:23 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I had proofs in junior high Geometry too, though I do not recall using
them outside that class.  I went all the way through differential
equations, matrix algebra and probability/statistics and I don't
recall much focus on proofs.  This was in the early 1980s in a good
school (Illinois), so it wasn't just modern teaching methods that were
too blame.  I am not sure that the proofs were all that useful for
understanding some things either, though the logic they taught has
value that I missed a bit of since I did hit some modern techniques.

--

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
I see your point. On the other hand, there are times I worry that teach the 
hacker mentality approach to secure development training smacks a bit too much 
teaching future policemen the delights of robbery, rape, torture, and murder in 
order to prepare the to defend the public against robbers, rapists, torturers, 
and murders.

Definitely teach - with examples - what it is about software that makes it so 
easy to exploit and violate. But stop short of handing the students detailed 
blueprints and instructions, reinforced by lots of hands-on lab time. I'm just 
untrusting enough of human nature to worry that once some of them discover how 
much more fun it is to hack than to defend against hacking, what you'll end up 
with is not the next Bob Seacord but the next Kevin Mitnick.

At the very least, make psychological exams a prerequisite of acceptance into 
your class, so you can weed out the likely psychopaths and sociopaths.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Olin Sibert [u3...@siliconkeep.com]
Sent: Tuesday, August 25, 2009 8:16 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

I'm mostly a lurker here, and I'm a practitioner rather than a
professional educator, but there's a viewpoint I haven't seem
much of that I want to support, namely:

  Exploits are FUN.

Teach from that angle, and I think you'll get more traction
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Goertzel, Karen [USA]
Your Picasso - or, perhaps, Frank Lloyd Wright would be a better analogy - 
definitely has a role in software development.  I want his creativity up front 
in the specification and high-level design of the building (the software 
system). But when it comes to detailed design and testing, I'm going to call in 
the engineers, and when it comes to coding, no-one does it better than skilled 
construction workers who have mastered the use of hammers, saws, adzes, etc. 

So yes - the coders are craftsmen. But the problem is that in software 
development, the roles are seldom so clearcut, especially not in Agile 
development. So one does find far too many craftsmen attempting the engineers' 
and architects' jobs without anything like the necessary training and 
certification of their competence to perform those functions.

Or maybe, if we accept the software development as an art analogy, our 
problem is we have way too many architects trying to code successfully.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Jim Manico [...@manico.net]
Sent: Tuesday, August 25, 2009 11:17 PM
To: Benjamin Tomhave
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

 I again come back to James McGovern's suggestion, which is treating
coding as an art rather than a science

Keep your Picasso out of my coding shop, world of discrete mathematics and 
predicate logic! I don't care how cheap his hourly is. :)

I'd prefer to think of coders as craftsman; we certainly are not artists, 
scientists or engineers. ;) And craftsman are bound by the laws of mathematics 
and the sponsors who pay us, artists have no bounds.

- Jim


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus


On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:


First, security in the software development concept is at least an
intermediate concept, if not advanced.


Not at all. That would be like saying that correctness is also an  
advanced concept, because it gets in the way of coding. Security is  
about exploiting assumptions (often hidden) that we make when we write  
and deploy software. I see no reason why teaching to think about  
assumptions should be deferred. You teach math students how to do  
proofs right from the beginning for essentially the same reasons :-)



Perhaps this means that the
language itself needs to require strong type checking that enforce
appropriate secure coding behavior?


Unfortunately, security assumptions are rarely written down so I don't  
see how they can be enforced at the language or compiler level.


Best,

Stephan
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Goertzel, Karen [USA]
For consistency's sake, I hope you agree that if security is an 
intermediate-to-advanced concept in software development, then all the other 
-ilities (goodness properties, if you will), such as quality, reliability, 
usability, safety, etc. that go beyond just get the bloody thing to work are 
also intermediate-to-advanced concepts. 

In other words, teach the goodness properties to developers only after 
they've inculcated all the bad habits they possibly can, and then, when they 
are out in the marketplace and never again incentivised to actually unlearn 
those bad habits, TRY desperately to change their minds using nothing but 
F.U.D. and various other psychological means of dubious effectiveness.

Great strategy! Our hacker friends will love it.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Benjamin Tomhave [list-s...@secureconsulting.net]
Sent: Monday, August 24, 2009 8:35 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Two quick comments in catching up on the thread...

First, security in the software development concept is at least an
intermediate concept, if not advanced
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus


On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote:


You don't teach proofs - not really. The elementary and junior high
curriculum generally does not contain anything about proofs


I was talking about college students because that's when I was  
properly taught programming.  That may no longer be true.  But in  
maths, I *was* taught how to do proper proofs in high school (from 7th  
grade on, when we had Geometry). I may have been unusually lucky.



I again come back to James McGovern's suggestion, which is treating
coding as an art rather than a science. It increasingly makes sense
given the failures up to this point.


The problem then is that every Joe, Dick, and Harry out there who can  
get hello world to compile think they're artists. Seriously, unlike  
art, programming is usually not a vehicle for one's creative urges,  
but a tool to get a job done, as you yourself say. (I hesitate to use  
the word science as an antonym to art here, perhaps craft would  
be better.)


Unfortunately, security assumptions are rarely written down so I  
don't

see how they can be enforced at the language or compiler level.

Here you make a patently bad assumption yourself. It should be  
possible

for the compiler to automatically protect against overflows, as an
example.


Sure, for certain languages and certain classes of well-understood  
problems, compiler or language support can be engineered. But my point  
stands: security assumptions are rarely written down. This is because  
they are taken to be self-evident and not in need of explicit  
formulation. Also, they depend on the domain. If I express a hospital  
drug disbursal system in any of the common general-purpose programming  
languages, the assumption that one cannot be a doctor and a nurse at  
the same time is usually implicit. I challenge you to develop Java or C 
++ support that will capture any flaw in the implementation of this  
particular RBAC *without* having to make that assumption explicit.



Safe input validation and output encoding could also be forced
at a given level.


Really? I'd be interested in hearing about such techniques that cannot  
be short-cut (which, as you state, is one big factor for security  
defects in software).


Best,

Stephan
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Andy Steingruebl
On Tue, Aug 25, 2009 at 4:09 AM, Stephan
Neuhausstephan.neuh...@disi.unitn.it wrote:

 On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:

 First, security in the software development concept is at least an
 intermediate concept, if not advanced.

 Not at all. That would be like saying that correctness is also an advanced
 concept, because it gets in the way of coding. Security is about exploiting
 assumptions (often hidden) that we make when we write and deploy software. I
 see no reason why teaching to think about assumptions should be deferred.
 You teach math students how to do proofs right from the beginning for
 essentially the same reasons :-)

Sarcasmreally?  First graders are learning to do math proofs instead
of basic addition?  I'm quite surprised by this./Sarcasm

We're missing I think the point I raised earlier.  Not everyone learns
to program in high school or college.  And, even learning the basics
of what an algorithm are is tricky, much less learning defensive
programming, etc.

So, yes, it is an advanced concept for the majority of beginning programmers.

-- 
Andy Steingruebl
stein...@gmail.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Stephan Neuhaus


On Aug 25, 2009, at 18:07, Andy Steingruebl wrote:


Sarcasmreally?  First graders are learning to do math proofs instead
of basic addition?  I'm quite surprised by this./Sarcasm


Yeah, sorry.  When I wrote about students I meant college  
students. I don't know, is that a difference between British English  
(pupils) and American English (students)? Anyway, my bad.



We're missing I think the point I raised earlier.  Not everyone learns
to program in high school or college.  And, even learning the basics
of what an algorithm are is tricky, much less learning defensive
programming, etc.


But the topic of the thread is Where Does Secure Coding Belong In the  
Curriculum? and I maintain that when someone is intellectually mature  
enough so that you can teach them how to program and at the same time  
really know what they're doing, you can teach them about correctness  
and security too.


Best,

Stephan
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Matt Bishop

Ben,


First, security in the software development concept is at least an
intermediate concept, if not advanced. Riffing on Brad's comments, it
seems irrational to think that you can jump straight from structural
basics with which many students struggle (OO anybody?) directly to
concepts that bridge computer architecture, code structure, and  
various

other problems.


I agree and I disagree. If I walked into an ECS 10 (Intro to  
Programming class) and began We use the waterfall model to provide a  
moderate level of assurance ... about 75% of the students would be  
out the door. That's one problem with teaching security per se: you  
need to describe *what* your security requirements are, and when  
you're struggling to learn how to write a for loop, being asked to  
implement security requirements as such is intimidating.


Instead, what you can do is frame the issues as good programming.  
When teaching for loops, teach the idea of a limit (upper and lower  
bounds). Then when you get to arrays, it's natural to discuss bounds  
checking in the context of iteration (I don't phrase it that way, of  
course). When you grade, you check for it. Presto! Now you have taught  
what is commonly considered a security requirement without ever  
mentioning the word security.


I find the distinction between robust and secure is useful,  
although often the two are interchangeable. By robust, I mean the  
more nebulous requirement that the program not crash (although it may  
terminate gracefully :-)) and that it handle unexpected inputs  
reasonably, and so forth. By secure, I mean meeting a specific set  
of requirements that describe what security means; for example,  
unexpected inputs may require specific actions (in which case handling  
them is both robust and secure :-)). Note: I'm not sure the  
distinction here is too meaningful, so please don't ask me to define a  
boundary.


But in introductory classes, I tend to focus on what I am calling  
robust above; when I teach software security, I focus on both, as I  
consider robustness part of security.


By the way, you can do this very effectively in a beginning  
programming class. When I taught Python, as soon as the students got  
to basic structures like control loops (for which they had to do  
simple reading), I showed them how to catch exceptions so that they  
could handle input errors. When they did functions, we went into  
exceptions in more detail. They were told that if they didn't handle  
exceptions in their assignments, they would lose points -- and the  
graders gave inputs that would force exceptions to check that they did.


Most people got it quickly.

Matt
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Pete Werner
The just get the bloody thing to work is usually an attitude foisted
on developers by the business side.

I work in an internal application security function for a large
enterprise and i'm yet to meet a developer who wasn't concerned about
security.

Developer education is very important and we have a lot of it
available for out developers, some of it even compulsory.

However, unless there is the will of the business behind it, developer
concerns are oft pushed aside in the interest of expediency.

I find the business side usually does have a genuine interest in
security and quality, however they are concepts that remain
largely unquantifiable, and in the case of security you only need to
mess up once to end up with a nasty situation.

It's can be a tough sell getting time to focus on these things, given
they can be so vague. In the case of my organisation, business side
support comes from both internal advocacy of security practises by our
function and externally imposed legal requirements. Mostly the latter
;)

Filtering inputs is NOT hard, and most developers are getting better
at things like that. However, the problems of application security go
beyond the developer level, and it's important not to lose sight of
that fact. If there were an easy solution everything would already be
perfectly secure.

Pete

On Wed, Aug 26, 2009 at 12:26 AM, Goertzel, Karen
[USA]goertzel_ka...@bah.com wrote:
 For consistency's sake, I hope you agree that if security is an 
 intermediate-to-advanced concept in software development, then all the other 
 -ilities (goodness properties, if you will), such as quality, 
 reliability, usability, safety, etc. that go beyond just get the bloody 
 thing to work are also intermediate-to-advanced concepts.

 In other words, teach the goodness properties to developers only after 
 they've inculcated all the bad habits they possibly can, and then, when they 
 are out in the marketplace and never again incentivised to actually unlearn 
 those bad habits, TRY desperately to change their minds using nothing but 
 F.U.D. and various other psychological means of dubious effectiveness.

 Great strategy! Our hacker friends will love it.

 Karen Mercedes Goertzel, CISSP
 Associate
 703.698.7454
 goertzel_ka...@bah.com
 
 From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
 Of Benjamin Tomhave [list-s...@secureconsulting.net]
 Sent: Monday, August 24, 2009 8:35 PM
 To: sc-l@securecoding.org
 Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

 Two quick comments in catching up on the thread...

 First, security in the software development concept is at least an
 intermediate concept, if not advanced
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Goertzel, Karen [USA]
We teach toddlers from the time they can walk that they shouldn't play in 
traffic. A year or two later, we teach them to look both ways before crossing 
the street. Even later - usually when they're approaching their teens, and can 
deal with grim reality, we give examples that illustrate exactly WHY they 
needed to know those things.

But that doesn't mean we wait until the kids are 11 or 12 to tell them 
shouldn't play in traffic.

There has to be some way to start introducing the idea even to the rawest of 
raw beginning programming students that good is much more desirable than 
expedient, and then to introduce the various properties that collectively 
constitute good - including security.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: Andy Steingruebl [stein...@gmail.com]
Sent: Tuesday, August 25, 2009 1:14 PM
To: Goertzel, Karen [USA]
Cc: Benjamin Tomhave; sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
[USA]goertzel_ka...@bah.com wrote:
 For consistency's sake, I hope you agree that if security is an 
 intermediate-to-advanced concept in software development, then all the other 
 -ilities (goodness properties, if you will), such as quality, 
 reliability, usability, safety, etc. that go beyond just get the bloody 
 thing to work are also intermediate-to-advanced concepts.

 In other words, teach the goodness properties to developers only after 
 they've inculcated all the bad habits they possibly can, and then, when they 
 are out in the marketplace and never again incentivised to actually unlearn 
 those bad habits, TRY desperately to change their minds using nothing but 
 F.U.D. and various other psychological means of dubious effectiveness.

Seriously?  We're going to teach kids in 5th grade who are just
learning what an algorithm is how to protect against malicious inputs,
how to make their application fast, handle all exception conditions,
etc?

...
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews


I was thinking of a beginner-level programming class.  I have and it  
can be a challenge, especially if they don't have the programming  
mindset.  Even if they do, you don't have the time for the things you  
spoke about.  You are focusing on basic coding constructs first.  :)


--

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Stephan Neuhaus stephan.neuh...@disi.unitn.it:



On Aug 21, 2009, at 17:51, Brad Andrews wrote:


Has anyone who holds to this taught a beginning level programming class?


I have.  I taught a security class to undergrads.  It was easier than I
thought, at least the basics were. I got them excited by a let's try
to break things attitude.  They wrote buffer overflow exploits (using
freely available shellcode), they cracked linear congruential PRNGs,
they subverted insecure protocols.  As far as I can tell, they had a
good time, since I had the highest retention rate for optional courses
in that year: 40 signed up for the course and 39 took the final exam.

Once they understood that the right mind-set is not oh come on, what
can possibly go wrong? but okay, let's see what *can* go wrong, they
were on their way.

Stephan




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews


But we are not talking about separate classes.  The assertion (which I  
probably clipped, sorry) was that it should be woven into the  
curriculum.  I was noting where and how to do so, starting in the  
intro level classes.  Just telling a starting programmer to properly  
check input length is all well and good, but falls far short of making  
a secure programmer.


I have no doubt that you can teach some new developers the principles  
in a short time and make them more productive than those who have been  
programming longer term.  They don't have to unlearn anything!  But  
this will not work for everyone.  Some will sit through a class with  
glazed eyes and no understanding.


Also remember we will have to get outside those with a fairly high  
level of motivation (internal or external) for learning the material  
to be successful.


I also would like to see how you would teach secure development, with  
minimal extra time load, in a basic programming sequence, possibly  
even at a non-traditional or lower tier school.  We won't make  
significant progress until we can do that, and it still leaves out the  
self taught.


--

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Gunnar Peterson gun...@arctecgroup.net:

I am sure some things could be put into a basic class, but the   
ideas are a bit deeper.  Security at the Hello World! or Mortgage  
 Calculator program level seems quite difficult.




I am not so sure. Granted an entry level programmer is going to be an
expert, but they can be pretty effective. I have taught App Security
classes where there were people with 20+ years of programming
experience and people with 3 months of OJT programming experience. At
the end of the two day class they each had the exact same amount of App
Security training.

The basic concepts of AAA and so on are not so hard to understand. My
guess is its much harder to start with Hello World, with no security,
add layers and layers of stuff on top of that over the decades and then
have to go back and question every single thing...

Someone who spent 20 years building cars with no brakes would have a
different experience than someone who was taught from the get go that
all cars have brakes and here is how you design/build them.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread McGovern, James F (HTSC, IT)
 Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I also am surrounded by many folks
who have been in IT for say 30 or so years that learned coding from
those infomercial type schools you see on TV late at night. So, the
question of whether trade schools should teach secure coding should be
asked as well.

This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Mike Lyman
Andy Steingruebl wrote:
 I think our real question isn't just how to reach the professional
 programmer trained via formal training programs, but also how to reach
 the amateur programmer trained via books, trial+error, etc.

   

One area here is making sure examples are done correctly. The database
examples that connected to an MS SQL server with userid=SA;password=
used to drive me crazy. The sample code does it that way so I better do
it that way. It makes for more complicated sample code but it may be
the only way to reach these self taught folks.
-- 

Mike Lyman
mly...@west-point.org

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Mike Lyman
Brad Andrews wrote:
 Has anyone who holds to this taught a beginning level programming
 class?  Getting students to understand what a loop is can be hard
 enough, given limited time.  Diving into exploits and buffer overflows
 can be much more difficult.

Getting into exploits at this level is probably more than many can
handle but it's not a bad time to teach proper bounds checking and
making sure any math operations don't result in overflows. Part of the
lesson might even be to create loops with math that cause these errors
deliberately if students are no longer taught how numbers are
represented in memory and what happens when you exceed the limits directly.

Might not be a bad idea though to step back on basic courses and rather
than dive in to programing concepts right away start with some
demonstrations of what happens with bad code and follow up with
refreshers periodically through the course. Nothing in great depth
unless the students can handle it but showing them what happens after
coding errors might raise awareness and start them thinking what happens
when this breaks rather than strictly focusing on how do it get it to
work. I cringe at the thought of what I used to do in code based on the
habits that started in high school and college.

 I am sure some things could be put into a basic class, but the ideas
 are a bit deeper.  Security at the Hello World! or Mortgage
 Calculator program level seems quite difficult.

 This bears some thinking through, but the security risks seem to be:

 - Make sure the input amount is in dollars.
 - Make sure the term is numeric and within reasonable ranges.
 - Make sure that interest rate is in the form of XX.XX.

That's a great start at getting them to think about how they have to
treat input and validate it. I don't recall any of my instructors ever
focusing on making sure the input to anything is what was expected. I'm
sure some did but I don't recall it. Even if the students don't always
get it right at this point, get them started thinking about it.

 Where do you inject security there?  Sure, you can note the importance
 of checking the data, but just because someone checks the input here
 doesn't mean they will have a clue on checking the input on a web form
 for an SQL injection attempt.

You might not touch on this until you get to those type applications. If
they were taught to question input all along though, by time you get to
something like this the habit might be forming.

-- 

Mike Lyman
mly...@west-point.org

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread SC-L Reader Dave Aronson
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote:

 If determination of functional correctness were extended from must
 operate as specified under expected conditions to must operate as
 specified under all conditions, functional correctness would necessarily
 require security, safety, fault tolerance, and all those other good things
 that make software dependable instead of just correct.

A much-too-late entry for the bumper sticker contest we had here a few
years back:

 Works as you wish, under all condish.

(Okay, okay, so maybe that kind of abbreviating is a bit out of
style... by 70 years or so)

-Dave

-- 
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.com/ for resume  other info.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Wall, Kevin
Karen Goertzel wrote...

 I'm more devious. I think what needs to happen is that we
 need to redefine what we mean by functionally correct or
 quality code. If determination of functional correctness
 were extended from must operate as specified under expected
 conditions to must operate as specified under all
 conditions, functional correctness would necessarily require
 security, safety, fault tolerance, and all those other good
 things that make software dependable instead of just correct.

Except, unfortunately, as an industry / profession, we can't even
get the far-simpler (IMO) _functional correctness_ right let
alone (so-called) non-functional issues such as security, safety,
fault tolerance, etc. (Mathematical rigor and proof-of-correctness aside,
but in many [most?] cases that's not practical and even if it were, most
programmers' brains turn to mathematical mush whenever they see any
kind of correctness proof. Meaning that it ain't going to happen
if it requires thinking. ;-)

In some regard, I think this holds things back. If we don't do a
good job testing that the software does all that it's supposed to do
under *ideal* conditions, how are we ever to expect developers and
testers to test to make sure that the software doesn't do additional
things that it's NOT supposed to do under less than ideal conditions.
There's a reason why Ross Anderson and Roger Needham talked about
Programming Satan's Computer (see
http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf). [Yes, I 'm aware that
paper was about the correctness of distributed cryptographic protocols,
but I think both Anderson and Needham would agree that the term
Programming Satan's Computer applies more generally than just to that
narrow aspect of security.]

Not that I'm advocating of giving up, mind you. If the battle seems
hopeless, perhaps we would see more progress if we were to address
secure programming issues simply as a related aspect of program
correctness. Why? Because the development community seems to be more
willing to address those things. (Obviously, part of that is that
many programming flaws are rather tangible and something that casual
users can experience. Yeah! That's the ticket. Let's teach the general
populace how to hack into systems! Pass out free You've been pwnd!
T-shirts with every successful pwnage. Now *THAT* would be devious. ;-)

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
kevin.w...@qwest.comPhone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Goertzel, Karen [USA]
Here's an extract from the Information Assurance Technology Analysis Center 
(part of DTIC) Software Security Assurance: A State of the Art Report 
(http://iac.dtic.mil/iatac/download/security.pdf):

Courses on secure software development, secure programming, etc., typically
begin by introducing common attacks against software-intensive information
systems and the vulnerabilities targeted by those attacks, then progress to
modeling, design, coding, and testing practices that software developers can 
adopt
to reduce the likelihood that exploitable vulnerabilities will appear in the 
software
they produce. The following is a representative sampling of such courses:

- Arizona State University: Software Security
- Ben-Gurion University (Beer-Sheva, Israel): Security of Software Systems
- Carnegie Mellon University (CMU) and University of Ontario (Canada):
Secure Software Systems
- George Mason University: Secure Software Design and Programming
- George Washington University: Security and Programming Languages
- Catholic University of Leuven (Belgium): Development of Secure Software
- New Mexico Tech: Secure Software Construction
- North Dakota State University: Engineering Secure Software
- Northeastern University: Engineering Secure Software Systems
- Northern Kentucky University, Rochester Institute of Technology, and
University of Denver: Secure Software Engineering
- Polytechnic University: Application Security
- Purdue University: Secure Programming
- Queen’s University (Kingston, ON, Canada): Software Reliability
and Security
- Santa Clara University: Secure Coding in C and C++
- University of California at Berkeley, Walden University (online): Secure
Software Development
- University of California at Santa Cruz: Software Security Testing
- University of Canterbury (New Zealand): Secure Software
- University of Nice Sophia-Antipolis (Nice, France): Formal Methods
and Secure Software
- University of Oxford (UK): Design for Security
- University of South Carolina: Building Secure Software.

As noted earlier, other schools offer lectures on secure coding and other
software security relevant topics within their larger software engineering or
computer security course offerings. At least two universities - the University
of Texas at San Antonio and University of Dublin (Ireland) - have established
reading groups focusing on software security.

As part of its Trustworthy Computing initiative, Microsoft Research
has established its Trustworthy Computing Curriculum program [309] for
promoting university development of software security curricula. Interested
institutions submit proposals to Microsoft, and those that are selected are
provided seed funding for course development.

Another recent trend is post-graduate degree programs with specialties
or concentrations in secure software engineering (or security engineering for
software-intensive systems). Some of these are standard degree programs,
while others are specifically designed for the continuing education of working
professionals. The following are typical examples:

- James Madison University: Master of Science in Computer Science with
a Concentration in Secure Software Engineering
- Northern Kentucky University: Graduate Certificate in Secure
Software Engineering
- Stanford University: Online Computer Security Certificate in Designing
Secure Software From the Ground Up
- University of Colorado at Colorado Springs: Graduate Certificate in
Secure Software Systems
- Walden University (online): Master of Science in Software Engineering
with a Specialization in Secure Computing
- University of Central England at Birmingham: Master of Science in
Software Development and Security
- Chalmers University (Gothenburg, Sweden): Master of Science in
Secure and Dependable Computer Systems.

In another interesting trend (to date, exclusively in non-US schools),
entire academic departments - and in one case a whole graduate school—are
being devoted to teaching and research in software dependability, including
security, e.g.:

- University of Oldenburg (Germany) TrustSoft Graduate School of
Trustworthy Software Systems
- Fraunhofer Institute for Experimental Software Engineering (IESE)
(Kaiserslautern, Germany): Department of Security and Safety
- Bond University (Queensland, Australia): Centre for Software Assurance.


Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Gary McGraw [...@cigital.com]
Sent: Thursday, August 20, 2009 2:55 PM
To: Neil Matatall; Secure Code Mailing List
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

hi neil,

For what it's worth, there is a list of universities with some kind of software 
security curriculum on page 98 of Software Security http://swsec.com.  
Remember, this list was created in 2006, and lots of other universities have 
jumped on the bandwagon since

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Neil Matatall

Everyone,

Thank you for all of the input.  Really.  This information has been 
extremely helpful! 


Neil

Goertzel, Karen [USA] wrote:

Here's an extract from the Information Assurance Technology Analysis Center (part of 
DTIC) Software Security Assurance: A State of the Art Report 
(http://iac.dtic.mil/iatac/download/security.pdf):

Courses on secure software development, secure programming, etc., typically
begin by introducing common attacks against software-intensive information
systems and the vulnerabilities targeted by those attacks, then progress to
modeling, design, coding, and testing practices that software developers can 
adopt
to reduce the likelihood that exploitable vulnerabilities will appear in the 
software
they produce. The following is a representative sampling of such courses:

- Arizona State University: Software Security
- Ben-Gurion University (Beer-Sheva, Israel): Security of Software Systems
- Carnegie Mellon University (CMU) and University of Ontario (Canada):
Secure Software Systems
- George Mason University: Secure Software Design and Programming
- George Washington University: Security and Programming Languages
- Catholic University of Leuven (Belgium): Development of Secure Software
- New Mexico Tech: Secure Software Construction
- North Dakota State University: Engineering Secure Software
- Northeastern University: Engineering Secure Software Systems
- Northern Kentucky University, Rochester Institute of Technology, and
University of Denver: Secure Software Engineering
- Polytechnic University: Application Security
- Purdue University: Secure Programming
- Queen’s University (Kingston, ON, Canada): Software Reliability
and Security
- Santa Clara University: Secure Coding in C and C++
- University of California at Berkeley, Walden University (online): Secure
Software Development
- University of California at Santa Cruz: Software Security Testing
- University of Canterbury (New Zealand): Secure Software
- University of Nice Sophia-Antipolis (Nice, France): Formal Methods
and Secure Software
- University of Oxford (UK): Design for Security
- University of South Carolina: Building Secure Software.

As noted earlier, other schools offer lectures on secure coding and other
software security relevant topics within their larger software engineering or
computer security course offerings. At least two universities - the University
of Texas at San Antonio and University of Dublin (Ireland) - have established
reading groups focusing on software security.

As part of its Trustworthy Computing initiative, Microsoft Research
has established its Trustworthy Computing Curriculum program [309] for
promoting university development of software security curricula. Interested
institutions submit proposals to Microsoft, and those that are selected are
provided seed funding for course development.

Another recent trend is post-graduate degree programs with specialties
or concentrations in secure software engineering (or security engineering for
software-intensive systems). Some of these are standard degree programs,
while others are specifically designed for the continuing education of working
professionals. The following are typical examples:

- James Madison University: Master of Science in Computer Science with
a Concentration in Secure Software Engineering
- Northern Kentucky University: Graduate Certificate in Secure
Software Engineering
- Stanford University: Online Computer Security Certificate in Designing
Secure Software From the Ground Up
- University of Colorado at Colorado Springs: Graduate Certificate in
Secure Software Systems
- Walden University (online): Master of Science in Software Engineering
with a Specialization in Secure Computing
- University of Central England at Birmingham: Master of Science in
Software Development and Security
- Chalmers University (Gothenburg, Sweden): Master of Science in
Secure and Dependable Computer Systems.

In another interesting trend (to date, exclusively in non-US schools),
entire academic departments - and in one case a whole graduate school—are
being devoted to teaching and research in software dependability, including
security, e.g.:

- University of Oldenburg (Germany) TrustSoft Graduate School of
Trustworthy Software Systems
- Fraunhofer Institute for Experimental Software Engineering (IESE)
(Kaiserslautern, Germany): Department of Security and Safety
- Bond University (Queensland, Australia): Centre for Software Assurance.


Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Gary McGraw [...@cigital.com]
Sent: Thursday, August 20, 2009 2:55 PM
To: Neil Matatall; Secure Code Mailing List
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

hi neil,

For what it's worth, there is a list of universities with some kind of software security 
curriculum on page 98 of Software

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Mike Lyman
Neil Matatall wrote:
 So where does secure coding belong in the curriculum?

 Higher Ed?  High School?

 Undergrad? Grad? Extension?

Secure coding needs to be taught anytime programing is taught.

From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and confuse middle school/junior high school students
but I'd teach them basics like input validation and bounds checking as
basic good programing. The security aspects can wait until later when
they can better handle several concepts at once.

After that is just needs to be part of the course and called out for
what it is. There is room for stand alone security focused training and
courses but it needs to be drilled in all along the way. I recall my own
computer science instructors telling us *not* to spend time on bells and
whistles and concentrate on the concept the lesson was covering. If the
lesson was on pointers, adding things like error checking and user
friendly features didn't count for anything. I can understand why that
was said but it sends the wrong message and begins the development of
bad habits. That was 20 to 30 years ago and most computer users' idea of
security was locking their car doors but it did set us up for bad
habits. Basics need to be drilled in early and always count for
something even if the lesson is while loops.
-- 

Mike Lyman
mly...@west-point.org

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Goertzel, Karen [USA]
I think we need to start indoctrinating kids in the womb. Start selling Baby 
Schneier CDs alongside Baby Mozart. :)

Seriously, though, cyberspace is such an integral part of modern life, parents 
need to inculcate online security into their toddlers the same way they teach 
them to look both ways before crossing the street, and not to talk to or get 
into the car with strangers. In essence, we need to teach kids the virtual 
equivalents of these safe behaviours when they go online - which some of them 
are doing as early as age 4! If they can be brainwashed that early, they will 
come to have higher expectations of what SHOULD be present with regard to 
security properties in software-based systems. Then the notion won't seem alien 
to them. What will seem alien TO US is that they won't understand the struggles 
we've had to get people to start adding security. The idea of security having 
ever NOT been there will be bizarre to them.

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf 
Of Mike Lyman [mlyman-ci...@comcast.net]
Sent: Friday, August 21, 2009 8:17 AM
To: Secure Coding
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Neil Matatall wrote:
 So where does secure coding belong in the curriculum?

 Higher Ed?  High School?

 Undergrad? Grad? Extension?

Secure coding needs to be taught anytime programming is taught
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Andy Steingruebl
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote:
 Inspired by the What is the size of this list? discussion, I decided I
 won't be a lurker :)

 A question prompted by
 http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
 and the OWASP podcast mentions

 So where does secure coding belong in the curriculum?

 Higher Ed?  High School?

 Undergrad? Grad? Extension?

Does it help at all to consider how and where most people actually
learn to program/develop?  I don't have percentages handy of how many
people with a job title or informal role as programmer or
developer actually took any formal education in this.  If we're just
trying to reach the group of developers that went through formal
training then we've seen some pretty good answers here in this thread
already. If we want to cover others though, we need to look elsewhere.

Let's look at another few fields where safety is important and yet the
work is often done by both professionals and amateurs - Plumbing
and/or Electrical Work.  My own view is that much software development
is actually a lot closer to the work of the amateur electrician than
the professional electrician.   That is, unlike fields like engineer,
architect, lawyer, accountant, we don't rely on professional
standards, degrees, certifications, etc. for most programmers.  I'm
leaving aside for a moment whether we can or should, and just pointing
out that it is the case.

In the case of the amateur electrician you'll find a wide variety in
their knowledge of safety concerns, adherence to code, etc.  They
probably know enough to not electrocute themselves while they are
working (though not always) but don't necessarily know enough to put
in wiring that won't burn their house down in a few years.

I think our real question isn't just how to reach the professional
programmer trained via formal training programs, but also how to reach
the amateur programmer trained via books, trial+error, etc.

In these cases the best bet is to make sure that the general training
manuals, how-to guides, etc. have a lot of safety/security information
included in them.  That the books people use to learn actually show
them safe examples, etc.  Obviously there are variations of code
requirements per location and such, but basic safety rules will
probably be mostly universal.

- Andy

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Gunnar Peterson
I think we need to start indoctrinating kids in the womb. Start  
selling Baby Schneier CDs alongside Baby Mozart. :)




I can recommend this book, it was given to me by a client.

Enigma: A Magical Mystery

Grade 3–6—Someone has stolen the props belonging to the residents of  
a retirement home for magicians, and Bertie Badger, the grandson of  
one of the illusionists, vows to find them. As he meets the  
performers, they each tell him a little about their specialty and  
what's missing. My top hat, cape, and wand have gone, but there is  
worse to tell:/My precious magic bunny rabbit's disappeared as well!  
Bertie discovers the thief, but it is left to readers to find the lost  
items hidden in the illustrations. Base's visual mystery books have  
delighted children for years, but this one has the added feature of a  
moving panel in the back cover that reveals a secret code. Children  
must turn dials to proper settings before it can be moved. The clues  
for setting them appear in the illustrations but are not at all  
obvious. With a little persistence, however, the target audience  
should be able to solve the puzzle. After readers crack the code, they  
can search for the missing items hidden in the art and decipher other  
messages found in the end matter. 


http://www.amazon.com/Enigma-Magical-Mystery-Graeme-Base/dp/081097245X

-gunnar
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Brad Andrews


Has anyone who holds to this taught a beginning level programming  
class?  Getting students to understand what a loop is can be hard  
enough, given limited time.  Diving into exploits and buffer overflows  
can be much more difficult.


I am sure some things could be put into a basic class, but the ideas  
are a bit deeper.  Security at the Hello World! or Mortgage  
Calculator program level seems quite difficult.


This bears some thinking through, but the security risks seem to be:

- Make sure the input amount is in dollars.
- Make sure the term is numeric and within reasonable ranges.
- Make sure that interest rate is in the form of XX.XX.

Other things checked for would be

- Proper output.
- Pausing at the right point so the output can be viewed correctly.

I am sure I am missing things, but this should serve as a base.

Where do you inject security there?  Sure, you can note the importance  
of checking the data, but just because someone checks the input here  
doesn't mean they will have a clue on checking the input on a web form  
for an SQL injection attempt.


I get students who can't loop to start over, they are certainly not  
going to catch that they need to do deeper input inspection,  
especially in a completely unrelated topic.


I am probably blowing some smoke here and I may disagree with myself  
later, but I think this discussion is worth having.


--

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Mike Lyman mlyman-ci...@comcast.net:


Neil Matatall wrote:

So where does secure coding belong in the curriculum?

Higher Ed?  High School?

Undergrad? Grad? Extension?


Secure coding needs to be taught anytime programing is taught.


From my experience in my son's boy scout troop, I'm not sure I'd call it

out as security and confuse middle school/junior high school students
but I'd teach them basics like input validation and bounds checking as
basic good programing. The security aspects can wait until later when
they can better handle several concepts at once.

After that is just needs to be part of the course and called out for
what it is. There is room for stand alone security focused training and
courses but it needs to be drilled in all along the way. I recall my own
computer science instructors telling us *not* to spend time on bells and
whistles and concentrate on the concept the lesson was covering. If the
lesson was on pointers, adding things like error checking and user
friendly features didn't count for anything. I can understand why that
was said but it sends the wrong message and begins the development of
bad habits. That was 20 to 30 years ago and most computer users' idea of
security was locking their car doors but it did set us up for bad
habits. Basics need to be drilled in early and always count for
something even if the lesson is while loops.
--

Mike Lyman
mly...@west-point.org

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___





___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread McGovern, James F (HTSC, IT)
Here is where my enterpriseyness will show. I believe the answer to the
question of where secure coding belongs in the curiculum is somewhat
flawed and requires addressing the curiculum holistically.
 
If you go to art school, you are required to study the works of the
masters. You don't attempt to paint a Picasso in the first semester, yet
us IT folks think it is OK to write code before studying the differences
between good code and bad code. If a student never learns good from bad
and over time develops bad habits, then teaching security at ANY stage
later in life is the wrong answer. We need to remix the way IT is taught
in Universities and revisit the fundamentals of how to approach IT as a
whole.
 
My second and conflicting opinion says that Universities shouldn't be
teaching secure code as they won't get it right. Students should
understand the business/economic impact that lack of secure coding
causes. If this is left strictly to Universities, it will most certainly
feel academic (in the bad sense). A person doesn't become a real IT
professional until they have a few years of real-world experience under
their belts and therefore maybe this is best left to their employers as
part of professional development and/or Master's programs that are
IT-focused but not about the traditional computer-science/software
engineering way of thinking...
 
http://twitter.com/mcgoverntheory

This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you are 
not the intended recipient, please notify the sender immediately by return 
e-mail, delete this communication and destroy all copies.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread Goertzel, Karen [USA]
I'm more devious. I think what needs to happen is that we need to redefine what 
we mean by functionally correct or quality code. If determination of 
functional correctness were extended from must operate as specified under 
expected conditions to must operate as specified under all conditions, 
functional correctness would necessarily require security, safety, fault 
tolerance, and all those other good things that make software dependable 
instead of just correct.


Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread Gary McGraw
hi neil,

For what it's worth, there is a list of universities with some kind of software 
security curriculum on page 98 of Software Security http://swsec.com.  
Remember, this list was created in 2006, and lots of other universities have 
jumped on the bandwagon since then.

* University of California at Davis
* University of Virginia
* Johns Hopkins University
* Princeton University
* Purdue University (especially the CERIAS center)
* Rice University
* University of California at Berkeley
* Stanford University
* Naval Postgraduate School (a military school for graduates)
* University of Idaho
* Iowa State University
* George Washington University
* United States Military Academy at West Point

Matt Bishop made some excellent points in this thread.  He and I discuss the 
notion of education versus training at length in Silver Bullet episode 31 
http://www.cigital.com/silverbullet/show-031/ part of which was transcribed 
here http://www.cigital.com/silverbullet/shows/silverbullet-031-mbishop.pdf.

gem

company www.cigital.com
book www.swsec.com


On 8/19/09 5:15 PM, Neil Matatall nmata...@uci.edu wrote:

Inspired by the What is the size of this list? discussion, I decided I won't 
be a lurker :)

A question prompted by 
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html 
/redirect?url=http%3A%2F%2Fmichael-coates%2Eblogspot%2Ecom%2F2009%2F04%2Funiversities-web-app-security%2Ehtmlurlhash=c5OA_t=disc_detail_link
 and the OWASP podcast mentions

So where does secure coding belong in the curriculum?

Higher Ed?  High School?

Undergrad? Grad? Extension?

I started a discussion in the Educause group on linked in.  I guess it requires 
authentication and possibly group membership: 
http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=gid=138011discussionID=5737656

It looks like some Universities are offering courses now...

Neil


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___