Hi all, I've been watching this discussion with interest, as I've taught a undergrad-level course a couple of times that focuses on infosec with a concentration in software security. Yes, _Secure Coding_ was one of the books we used :)
A few observations from my experience so far: - Sure, we can teach "don't overflow the buffer" in lower division undergrad courses, but many students won't understand the reasons why this results in an exploitable condition, since those reasons require understanding concepts that are not normally taught until the upper division of undergrad CS. - I think we need to not only give the students the right *tools* to code securely, but also the right *mindset*. It is harder to teach the "mindset" in the earlier courses. - As for a specialized course on software security, it can be tricky working it into the undergrad CS curriculum. When I've taught this material, I could not assume (for instance) a certain degree of student knowledge about computer architecture and the way the call stack works. I had to explain that stuff just to be able to explain how a buffer overflow works, for instance. - We can teach, "be more secure, use Java/C#/etc instead of C", and that is good, but remember that these students are going out into the real workforce and will use the language(s) chosen by their employers (or already in place on an existing product line). I do believe that students still need to know how to use C/C++ responsibly. Otherwise, they may very well be ill-prepared for the real world :) - As for vocational vs. academic, I think there's a lot of room for software security in each. At the academic level, you spend more time explaining the underlying concepts. For example, teaching why having a call stack share data and program flow control constructs tends to cause trouble (when no enforcement of the bounds of data and control is performed). Vocational teaching is much more hands-on and tools oriented. At the academic level, you want your students to be able to take the knowledge and apply it in new and creative ways, not just learn a tool or a technique. - Many universities want to teach in the academic world the kind of knowledge that will give their students a definite edge when they go into private industry. If potential employers (or graduate programs, etc.) look favorably on some "software security" experience, we will probably see more of it taught and/or integrated into existing coursework. - I found Corewars to be an interesting tool for starting to exercise that "defensive coding" muscle. It gets students used to assuming that their program will be abused and misused, among other things :) Greg. ---------------------------------------------------------------- Greg Beeley, President & Co-Founder [EMAIL PROTECTED] LightSys Technology Services, Inc. http://www.LightSys.org/ ---------------------------------------------------------------- _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php