The "playing in traffic" example is one extreme end of the spectrum. A good analogy for the other end might be physics where you just teach Newtonian theory it as if it were 100% accurate and then, if the student decides to take a relativistic physics class, you teach them on day 1 that everything they know isn't right. It seems teaching secure programming must lie somewhere between these two ends of the spectrum.
Perhaps a more useful exercise (rather than debating where in the gradient through metaphor) is to try to enumerate the variables that play into what draws a topic toward one end or the other. Such variables might include: * "stickiness" of the bias/habits acquired as you learn more * impetus to learn more * ability/access to learn more Just a thought. p. On 8/25/09, Goertzel, Karen [USA] <goertzel_ka...@bah.com> wrote: > We teach toddlers from the time they can walk that they shouldn't play in > traffic. A year or two later, we teach them to look both ways before > crossing the street. Even later - usually when they're approaching their > teens, and can deal with "grim reality", we give examples that illustrate > exactly WHY they needed to know those things. > > But that doesn't mean we wait until the kids are 11 or 12 to tell them > shouldn't play in traffic. > > There has to be some way to start introducing the idea even to the rawest of > raw beginning programming students that "good" is much more desirable than > "expedient", and then to introduce the various properties that collectively > constitute "good" - including security. > > Karen Mercedes Goertzel, CISSP > Associate > 703.698.7454 > goertzel_ka...@bah.com > ________________________________________ > From: Andy Steingruebl [stein...@gmail.com] > Sent: Tuesday, August 25, 2009 1:14 PM > To: Goertzel, Karen [USA] > Cc: Benjamin Tomhave; sc-l@securecoding.org > Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum? > > On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen > [USA]<goertzel_ka...@bah.com> wrote: >> For consistency's sake, I hope you agree that if security is an >> intermediate-to-advanced concept in software development, then all the >> other "-ilities" ("goodness" properties, if you will), such as quality, >> reliability, usability, safety, etc. that go beyond "just get the bloody >> thing to work" are also intermediate-to-advanced concepts. >> >> In other words, teach the "goodness" properties to developers only after >> they've inculcated all the bad habits they possibly can, and then, when >> they are out in the marketplace and never again incentivised to actually >> unlearn those bad habits, TRY desperately to change their minds using >> nothing but F.U.D. and various other psychological means of dubious >> effectiveness. > > Seriously? We're going to teach kids in 5th grade who are just > learning what an algorithm is how to protect against malicious inputs, > how to make their application fast, handle all exception conditions, > etc? > > ... > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~ Pravir Chandra chandra<at>list<dot>org PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4 ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________