CERIAS Weblogs » Notes about the Faculty Workshop on Secure Software Development

[topcap]

Pascal Meunier

Pascal Meunier is a research scientist at the Center for Education and Research in Information and Assurance (CERIAS) at Purdue University. He is the author of the Cassandra system, the CIRDB and PI for the ReAssure project. He also teaches secure programming and publishes a set of slides in 3 parts on the subject.

Author XML Feeds

Search

[bottomcap]
April 16th, 2008 by Pascal Meunier in General

On April 13-15, I attended the “Faculty Workshop on Secure Software Development” (alternatively called “Secure Coding Faculty Workshop” by SANS), paid for by NSF (no grant number yet) and organized by Bill Chu, Matt Bishop and SANS. There were presentations from a number of faculty involved in secure coding or software engineering, as well as some companies. My presentation focused on secure programming, and so was somewhat off-the-mark due to my confusion about the name and objectives of the workshop. It was more about software engineering and introducing good security practices in the CS/SE curriculum, than secure coding itself. In hindsight, the objectives appeared to be:

  • Share content. There was some sharing at the workshop, with an attempt to gather relevant material from attendees and combine it into a repository. I seemed to surprise people because I didn’t bring my laptop (I wanted to avoid the temptation of a distraction, and give all my attention to the workshop, avoid lugging it and getting it through the TSA screenings) so I ended up giving urls for my secure programming material. The difference between this repository and others “that failed” (Sam Redwine pointed out the low success rate of educational material repositories) would be that SANS and industry would be “beating down doors” of universities and industry for its adoption. I would have preferred if we had discussed and devised a mechanism by which we could leverage existing sources, discuss duplication of efforts, make a general appeal for relevant material from all sources instead of only those at the meeting, thought about the consolidation, organization and vetting of this material in a consistent and usable manner, not to mention identifying sources of funding to do so. Input from a librarian would have helped. Besides correctness, organization is a key difference between expert knowledge and ordinary knowledge. This is a big problem that requires a lot of work to do correctly. Despite seeing on a slide earlier the quote “success is foreseeing failure”, participants did not discuss very seriously how this effort could fail. No amount of beating down doors will make people adopt content that is poorly organized and has little usability, yet despite awareness of this problem at the workshop, I believe that this hasn’t been addressed properly. This is not to say that it’s doomed; but let’s think about why we really need it, what we really need, how it can fail and what we need to do to make it successful just not in the next few months, but how to make it a dependable resource with a lasting success.
  • Improve the content of training materials, whether these are professional training books or reference books for university classes. A problem is insecure code examples that are later used “as is” in production systems. These bad examples are used to create succinct code examples, but sometimes a more secure version wouldn’t be any longer in terms of number of lines of code. Sometimes, authors use the excuse that “it was never intended for production use”, but most students don’t know any better than what teachers show them… Educators aren’t fully aware of their responsibility in that regard, or choose to ignore it for one reason or another. One goal of the workshop was to initiate the creation of exercises that could be used to supplement or replace insecure code examples. In my opinion too much emphasis was put on trying to come up with some during the workshop, instead of devising a systematic way of creating them, and ensuring the identification and correction of the relevant online material.
  • Network, keep contact and keep working on it…

Some people were pleasantly surprised by the usefulness and portability of the SEED labs. I have been using some of these in CS 390S this semester and recommend them. The Fedora Linux VMware image that I created for CS 390S is available for download on the ReAssure public downloads page. If some of you created more images suitable for use with the SEED labs, please upload them in ReAssure as Kevin (Syracuse) doesn’t have the bandwidth to host them.

I was personally impressed by the secure software engineering program at Leuven as described by Wouter Joosen, but disappointed when I quickly hit pages that displayed “This information is not available in English. Consult the Dutch pages”. I guess I’ll have to resort to babel fish translation and the likes.

My final concern is, without funding commitments this effort will rely on personal heroics. I found it ironic that we were discussing how to improve software engineering while our effort would only classify as CMM level 1. Open source and community efforts are nice and can deliver useful things, but they can also deliver lots of wiki stubs that nobody seemingly has the time or inclination to fill and complete, as well as vetting and other management problems. The workshop resulted in great interactions, and clearly it was intended to just start the ball rolling. My point is that we preach that solving problems at design time is 100 times less costly than at production time, yet it seemed that we were rushing to production. Perhaps I just didn’t “get” the vision. Nevertheless, I’m glad that I attended; there certainly were a lot of things to think about.

del.icio.us »

Leave a Reply

« New Record for the Largest CVE Entry
Spaf giving testimony to US Congress today »