Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the K&R style of indentation for example continue to use it as their default style even when they have learned new languages.
Having just done a quick survey of the programming books on my shelves I don't find security or secure coding covered much if at all. I doubt that is because some business guy came down to the author and told him to excise security from the book. If basic security and secure coding practices are not integrated into programming from the beginning it is an add on, and hence not a natural component of the (art|science) of programming and much easier to skip. I have started teaching my 12 year old son C programming at home. We started off with a basic "Hello World", then added his name as a variable, then a loop to print different names, then added the ability to take the name as input from the command line. At each step we added in a bit of exception handling, and once we got to user input data we added basic data and input validation. Each new version of the program had a test plan and had to handle exceptions. This is a very simple example and is not something production ready, but every step showed him how to program without leaving security out. In my opinion, any educational program that deals with computers or networks should have security and secure coding woven into it. The amount and type of secure coding depends on the subject. A management class that calculates costs and ROI of a project should have metrics for the cost of security or robustness failures. Networking classes should have secure configuration integrated. Software engineering/design would need to have appropriate modules on encryption, identity management, etc, etc. In the end I think the question should be: "Is there a place where does security and secure coding NOT belong in a curriculum?" _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
