The "playing in traffic" example is one extreme end of the spectrum. A
good analogy for the other end might be physics where you just teach
Newtonian theory it as if it were 100% accurate and then, if the
student decides to take a relativistic physics class, you teach them
on day 1 that everything they know isn't right. It seems teaching
secure programming must lie somewhere between these two ends of the
spectrum.
Perhaps a more useful exercise (rather than debating where in the
gradient through metaphor) is to try to enumerate the variables that
play into what draws a topic toward one end or the other. Such
variables might include:
* "stickiness" of the bias/habits acquired as you learn more
* impetus to learn more
* ability/access to learn more
Just a thought.
p.
On 8/25/09, Goertzel, Karen [USA] <goertzel_ka...@bah.com> wrote:
> We teach toddlers from the time they can walk that they shouldn't play in
> traffic. A year or two later, we teach them to look both ways before
> crossing the street. Even later - usually when they're approaching their
> teens, and can deal with "grim reality", we give examples that illustrate
> exactly WHY they needed to know those things.
>
> But that doesn't mean we wait until the kids are 11 or 12 to tell them
> shouldn't play in traffic.
>
> There has to be some way to start introducing the idea even to the rawest of
> raw beginning programming students that "good" is much more desirable than
> "expedient", and then to introduce the various properties that collectively
> constitute "good" - including security.
>
> Karen Mercedes Goertzel, CISSP
> Associate
> 703.698.7454
> goertzel_ka...@bah.com
> ________________________________________
> From: Andy Steingruebl [stein...@gmail.com]
> Sent: Tuesday, August 25, 2009 1:14 PM
> To: Goertzel, Karen [USA]
> Cc: Benjamin Tomhave; sc-l@securecoding.org
> Subject: Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
>
> On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen
> [USA]<goertzel_ka...@bah.com> wrote:
>> For consistency's sake, I hope you agree that if security is an
>> intermediate-to-advanced concept in software development, then all the
>> other "-ilities" ("goodness" properties, if you will), such as quality,
>> reliability, usability, safety, etc. that go beyond "just get the bloody
>> thing to work" are also intermediate-to-advanced concepts.
>>
>> In other words, teach the "goodness" properties to developers only after
>> they've inculcated all the bad habits they possibly can, and then, when
>> they are out in the marketplace and never again incentivised to actually
>> unlearn those bad habits, TRY desperately to change their minds using
>> nothing but F.U.D. and various other psychological means of dubious
>> effectiveness.
>
> Seriously? We're going to teach kids in 5th grade who are just
> learning what an algorithm is how to protect against malicious inputs,
> how to make their application fast, handle all exception conditions,
> etc?
>
> ...
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
--
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra chandra<at>list<dot>org
PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
