[SC-L] Where Does Secure Coding Belong In the Curriculum?

There are several perspectives missing from the dialog: - Before we even talk about secure coding, we need a course on secure thinking. Most folks are indoctrinated into thinking positive which blinds them from seeing vulnerabilities right in front of them. A prereq on being antisocial might be a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

We teach toddlers from the time they can walk that they shouldn't play in traffic. A year or two later, we teach them to look both ways before crossing the street. Even later - usually when they're approaching their teens, and can deal with "grim reality", we give examples that illustrate exactl

[SC-L] informIT: attack categories

hi sc-l, If you listened recently to the latest episode of Silver Bullet with Fred Schneider from Cornell , one of the ideas Fred and I discussed was the notion of attack categories and anticipating large scale trends in attack space. Hopefully yo

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, Aug 25, 2009 at 7:26 AM, Goertzel, Karen [USA] wrote: > For consistency's sake, I hope you agree that if security is an > intermediate-to-advanced concept in software development, then all the other > "-ilities" ("goodness" properties, if you will), such as quality, > reliability, usabil

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 17:25, Benjamin Tomhave wrote: You cannot teach advanced grammar to a student with no language skills. I have excellent language skills (after my gaffe with the word "student" on this very list, I should perhaps add "in my mother tongue"), but you still couldn't teach

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

The "just get the bloody thing to work" is usually an attitude foisted on developers by the business side. I work in an internal application security function for a large enterprise and i'm yet to meet a developer who wasn't concerned about security. Developer education is very important and we h

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Ben, First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle (OO anybody?) directly to concepts that brid

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 18:07, Andy Steingruebl wrote: really? First graders are learning to do math proofs instead of basic addition? I'm quite surprised by this. Yeah, sorry. When I wrote about "students" I meant "college students". I don't know, is that a difference between British Englis

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Tue, Aug 25, 2009 at 4:09 AM, Stephan Neuhaus wrote: > > On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: > >> First, security in the software development concept is at least an >> intermediate concept, if not advanced. > > Not at all. That would be like saying that correctness is also an adva

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote: You don't teach proofs - not really. The elementary and junior high curriculum generally does not contain anything about proofs I was talking about college students because that's when I was properly taught programming. That may no longer

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Stephan Neuhaus wrote: > > and deploy software. I see no reason why teaching to think about > assumptions should be deferred. You teach math students how to do proofs > right from the beginning for essentially the same reasons :-) > You don't teach proofs - not really. The elementary and junior h

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

It's a catch-22, and there's certainly no need to be snarky about it. You cannot teach advanced grammar to a student with no language skills. Similarly, to think you can teach secure coding to a student with no coding skills is follow. I think James McGovern's suggestion is probably the best altern

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

For consistency's sake, I hope you agree that if security is an intermediate-to-advanced concept in software development, then all the other "-ilities" ("goodness" properties, if you will), such as quality, reliability, usability, safety, etc. that go beyond "just get the bloody thing to work" a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote: First, security in the software development concept is at least an intermediate concept, if not advanced. Not at all. That would be like saying that correctness is also an advanced concept, because it gets in the way of coding. Security is

[SC-L] OWASP Podcast August Update

Hello SC-L! The OWASP Podcast Series continues to accelerate! We released 5 podcasts this month which I hope you find to be of value. 39August 25, 2009Listen Now | Show Notes Interview with Gunnar Peterson (Webservices)38August 25, 2009

Re: [SC-L] Functional Correctness

Well, this topic gets muddy pretty quickly since I agree with many of the comments made on this thread. We have to be careful with hype and claims made by new models (BSIMM and OpenSAMM in particular) since depending on how the 'rest of the world' sees them speaks directly to our credibility as ind

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

Two quick comments in catching up on the thread... First, security in the software development concept is at least an intermediate concept, if not advanced. Riffing on Brad's comments, it seems irrational to think that you can jump straight from structural basics with which many students struggle