Ben Tomhave wrote: > Wall, Kevin wrote: > > > > I don't mean to split hairs here, but I think "fundamental concept" > > vs "intermediate-to-advanced concept" is a red herring. In your case > > of you teaching a 1 yr old toddler, "NO" is about the only thing > > they understand at this point. That doesn't imply that concepts like > > "street" are intermediate-to-advanced. It's all a matter of perspective. > > If you are talking to someone with a Ph.D. in physics about partial > > differential equations, PDEs *are* a fundamental concept at that level > > (and much earlier in fact). The point is, not to argue semantics, but > > rather to teach LEVEL-APPROPRIATE concepts. > > > I think you do mean to split hairs, and I think you're right to do so. > Context is very important. For example, all this talk about > where to fit secure coding into the curriculum is great, but it also > ignores the very arge population of self-taught coders out there, > as well as those who learn their craft in a setting other than a > college or university. Ergo, it still seems like we're talking at > ends about an issue that, while important, is still only at best a > partial solution.
Of course it's only a partial solution and I think you raise some very valid concerns. Normally, I wouldn't consider the "self-taught" in a discussion of where does secure coding belong in the CURRICULUM, but we can't ignore that 800 lb gorilla either. That of course is a much harder challenge. I suppose in some sense we should expect / hope that these same concepts that we've been discussing are addressed in the numerous books, periodicals, web sites, etc. where most of this learning happens. But that's probably much more difficult sitation to change...more of a wild, wild west in comparison to academia. Ultimately, most sane people act in accordance with that they are rewarded for doing things correct and disciplined for doing wrong. In academia, we can do this with grades for students, pay and/or tenure or other perks for professors / lecturers, etc. But once we get into books and magazines realm, we have to look for the publishers to reward / discipline appropriately and IMO they don't necessarily have the same drivers as to academia. Many publishers seem to be more concerned with just making a quick $$ rather than being accurate or thoroughly training people to do things correctly. (How else can you explain books explain tabloids, unless you subscribe to the MiB theory. And IMHO, there are plenty of "tabloid"-like publishers writing books in the programming field, but I digress.) Getting back to my point, you don't have that less "control" for someone putting up their own educational web pages that profess to teach programming to which many of the self-educated seem to rely on. There are plenty good ones, but most I've seen seem to be oblivious to secure coding practice (w/ exception of security-related sites such as OWASP, etc.) So it's only things like reputation, and ultimately market pressures that force any corrective actions in regards to publishers of written and web material. Add to that the problem that BECAUSE these people are self-taught, the generally don't have someone to provide guidance to separate the wheat from the chaff like instructors hopefully do with their students. But if self-taught programmers are the 800 pound gorilla, then corporate business is the 4 ton elephant. If anything, I would say that addressing the pressures that seem to be on corporate programmers that come to bear _against_ secure coding practice (although unintentionally) is the MUCH BIGGER problem. (Most people go into CS to move into industry after all, not to stay and teach/research in academia.) Most businesses rate secure code as a very low need and to emphasize time-to-market (which presumably has a direct correlation to market share, or so we've been told) over everything else. IMHO, that leads to more slip-shod code than any other single factor. Adding defensive code to make it more robust against attacks takes additional time, which on large projects can be quite significant. To make matters worse, many IT shops in the USA seem to reward the "how fast can you crank out code" (no matter how insecure) over the "how good of quality do you deliver" mentality. What is rewarded in IT shops is quantity of LOC cranked out each week (wrongly widely perceived as equivalent to productivity) over quality (less buggy code, which I believe correlates well less vulnerabilities). I have no sour grapes here--never wanted to move into management--yet over my 30+ years in industry (mostly telecom), I've seen the "fast" get rewarded, transfer to another project before things crash-and-burn, and then go on to get promoted to some management position. And then they continue to act this was as managers because that's what got them there. Let's face it, the IT industry in the USA is one huge dysfunctional family. So, I think *that's* why we've been focusing on formal education. There is a chance, a glimmer of hope even in the most cynical of us, that if we reach a critical mass there (and trust me, my mass is more critical than most), we can perhaps reach a tipping point and get things turned around. Until then, in our own circle of influence, we try the best we can to teach others the whys and hows of secure coding. Often, that's one developer at a time, and occassionaly, you might get the opportunity to teach a small class. By the cynic in me says that unless we address the pressures in business that business brings to bear (usually unintentionally) against secure coding, we are fighting a battle that we will never win because those forces will cause people to unlearn / forget everything that they have been properly taught in their CS curriculum about secure coding (if we assume for the moment we can get to that point someday, which I think we can). Wow, how was that for a rant? :) --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________