On Tuesday 07 November 2006 16:42, Julie J.C.H. Ryan wrote: > Folks, I've been forwarding select messages from this listserv to my > nephews, who are undergrads in CS at some fairly reknown I did a CS degree quite recently. There was simply _no_ mention of security, with the exception of passing mentions in the software engineering paper. In my 4th year (first year of postgrad), I did a paper on network security that was run by the information science department[0] for my own edification. A good paper, although it didn't cover software development security at all (and didn't intend to, either).
A large amount of the programming done there is in safer languages, however. I was in the last year doing Pascal, now it's Java. They are taught C later more to give students exposure to something a bit 'closer to the metal', where less of the donkey work is taken care of. After that, it tends to develop more into specific languages as suits what people are doing (haskell, prolog, LISP, etc). It is important to note that there is no goal of teaching students to go off and be safe programmers. Computer science is seen to a reasonable extent to be a theoretical persuit. Algorithms are covered, GC methods, heuristical searchs, and so on. That many students from this tend to go off and become programmers is almost seen the same as if they went off and became plumbers, just much more common. They are, of course, expected to hang around and become academics ;) You could reasonably argue (and I'm inclined to believe it myself) that not teaching secure practices to computer science students is a problem, but I think that the underlying issue is more that security is more of a vocational thing, the same as if they were to teach, say, programming with EJB. (Note: I consider many branches of security research to fit fairly comfortably into computer science, but I don't think that things like 'avoiding buffer overflow vulnerabilities' do, the usefulness of the knowledge aside) None of this is to say that it shouldn't be taught, just to provide my opinions on why it's not taught. Given a large number of CS students _do_ go off and develop real-world software, security should be given some time. Aside: I don't think there's anything wrong with printf in Java, it is helpful, and AFAIK it's not prone to the same format string vulnerabilities as C is. [0] at my uni, information science is the more business/application-oriented computer-related department, computer science is much more like applied mathematics/biology/cognitive psychology, depending on what exactly you're doing. -- Robin <[EMAIL PROTECTED]> JabberID: <[EMAIL PROTECTED]> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
pgp6P11RfRznB.pgp
Description: PGP signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
