Comments on: Speculations on Teaching Secure Programming http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/ Privacy, Security and Information Assurance issues Mon, 12 May 2008 13:59:09 +0000 http://wordpress.org/?v=2.5.1 By: Controlled Flight Into Terrain › Pascal Meunier on Teaching Secure Programming http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-209340 Controlled Flight Into Terrain › Pascal Meunier on Teaching Secure Programming Thu, 17 Apr 2008 13:45:26 +0000 http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-209340 [...] CERIAS Weblogs » Speculations on Teaching Secure Programming Security is somewhat of a habit, an attitude, a way of thinking and life. You won’t become a secure programmer just because you learned of a new vulnerability, exploit or security trick today, although it may help and have a cumulative effect. This was written by irving. Posted on Thursday, April 17, 2008, at 9:45 am. Filed under Software. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback. [...] [...] CERIAS Weblogs » Speculations on Teaching Secure Programming Security is somewhat of a habit, an attitude, a way of thinking and life. You won’t become a secure programmer just because you learned of a new vulnerability, exploit or security trick today, although it may help and have a cumulative effect. This was written by irving. Posted on Thursday, April 17, 2008, at 9:45 am. Filed under Software. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback. [...]

]]> By: Stephan http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-191339 Stephan Wed, 27 Feb 2008 16:05:48 +0000 http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-191339 Great thoughts! I think this also reflects on a common discussion I've come across before that university CS departments seemed to be more concerned with churning out the "factory programming drones" than really teaching computer science/technology as they once did. There is an entire art and creative aspect to development that seems to be lost these days in the effort to push out more Java programmers with minimal skill sets. Perhaps there is an underlying Java programmer quota that each Uni must meet yearly! :) One thing to note about programmers with a lack of security knowledge (or even sloppy/lazy coding habits) is that they present an enormous liability for their current/future employer(s). A Uni without at least some solid security training is really doing a disservice to the student, his/her potential employers and the industry itself. Great thoughts! I think this also reflects on a common discussion I’ve come across before that university CS departments seemed to be more concerned with churning out the “factory programming drones” than really teaching computer science/technology as they once did. There is an entire art and creative aspect to development that seems to be lost these days in the effort to push out more Java programmers with minimal skill sets.

Perhaps there is an underlying Java programmer quota that each Uni must meet yearly! :)

One thing to note about programmers with a lack of security knowledge (or even sloppy/lazy coding habits) is that they present an enormous liability for their current/future employer(s). A Uni without at least some solid security training is really doing a disservice to the student, his/her potential employers and the industry itself.

]]> By: Laura Bowser http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-169939 Laura Bowser Tue, 15 Jan 2008 18:28:53 +0000 http://www.cerias.purdue.edu/weblogs/pmeunier/general/post-140/speculations-on-teaching-secure-programming/#comment-169939 I've encountered this in my limited teaching as a TA and later as a teacher to corporate "students". The "wow" and flash of showing the bad things only goes so far. And the students have to understand *why* things are bad. (I've had some students ask me why it was bad for an exploit to get administrative privileges). Unfortunately, most computer science/development classes aren't teaching security, they're teaching coding/development. I think there needs to be a freshman class on security in general, and required by *all* students, not just those in technical degrees. It could cover basic things like not sharing your password all the way up to showing exploits. At that point, these students have a base to work from. Just because someone wants to be a developer doesn't mean they care about security. I’ve encountered this in my limited teaching as a TA and later as a teacher to corporate “students”. The “wow” and flash of showing the bad things only goes so far. And the students have to understand *why* things are bad. (I’ve had some students ask me why it was bad for an exploit to get administrative privileges). Unfortunately, most computer science/development classes aren’t teaching security, they’re teaching coding/development.

I think there needs to be a freshman class on security in general, and required by *all* students, not just those in technical degrees. It could cover basic things like not sharing your password all the way up to showing exploits. At that point, these students have a base to work from.

Just because someone wants to be a developer doesn’t mean they care about security.

]]>