We teach toddlers from the time they can walk that they shouldn't play in
traffic. A year or two later, we teach them to look both ways before crossing
the street. Even later - usually when they're approaching their teens, and can
deal with "grim reality", we give examples that illustrate exactly WHY they
needed to know those things.
But that doesn't mean we wait until the kids are 11 or 12 to tell them
shouldn't play in traffic.
There has to be some way to start introducing the idea even to the rawest of
raw beginning programming students that "good" is much more desirable than
"expedient", and then to introduce the various properties that collectively
constitute "good" - including security.
Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com
________________________________________
From: Andy Steingruebl [stein...@gmail.com]
Sent: Tuesday, August 25, 2009 1:14 PM
To: Goertzel, Karen [USA]
Cc: Benjamin Tomhave; sc-l@securecoding.org
Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
[USA]<goertzel_ka...@bah.com> wrote:
> For consistency's sake, I hope you agree that if security is an
> intermediate-to-advanced concept in software development, then all the other
> "-ilities" ("goodness" properties, if you will), such as quality,
> reliability, usability, safety, etc. that go beyond "just get the bloody
> thing to work" are also intermediate-to-advanced concepts.
>
> In other words, teach the "goodness" properties to developers only after
> they've inculcated all the bad habits they possibly can, and then, when they
> are out in the marketplace and never again incentivised to actually unlearn
> those bad habits, TRY desperately to change their minds using nothing but
> F.U.D. and various other psychological means of dubious effectiveness.
Seriously? We're going to teach kids in 5th grade who are just
learning what an algorithm is how to protect against malicious inputs,
how to make their application fast, handle all exception conditions,
etc?
...
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
