[SC-L] e: How can we stop the spreading insecure coding examples at, training classes, etc.?

Ed Reed (Aesec) Ed.Reed at aesec.com
Wed Aug 30 13:17:01 EDT 2006 

>
> Message: 1
> Date: Tue, 29 Aug 2006 15:48:17 -0400
> From: pmeunier at purdue.edu
> Subject: Re: [SC-L] How can we stop the spreading insecure coding
> 	examples	at training classes, etc.?
> To: "Wall, Kevin" <Kevin.Wall at qwest.com>
> Cc: SC-L at securecoding.org
> Message-ID: <1156880897.44f49a01620aa at webmail.purdue.edu>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Quoting "Wall, Kevin" <Kevin.Wall at qwest.com>:
>
>
>   
>> I think that this practice of leaving out the "security
>> details" to just make the demo code short and sweet has got
>> to stop. Or minimally, we have to make the code that people
>> copy-and-paste from have all the proper security checks even
>> if we don't cover them in training. If we're lucky, maybe
>> they won't delete them when the re-use the code.
>>     
>
> I agree, and would like to extend it: security should be discussed *at the same
> time* that a topic is.  Teaching security in a separate class, like I have been
> doing, reaches only a fraction of the audience, and reinforces an attitude of
> security as an afterthought, or security as an option.  Comments in the code
> should explain (or refer to explanations of) why changing or deleting those
> lines is a bad idea.  
>
> However, I'm afraid that it would irritate students, and make security the new
> "grammar and spelling" for which points are deducted from "perfectly valid
> write-ups" (i.e., "it's my ideas that count, not how well I spell").  
The same used to be said about unstructured programming examples 
(computed gotos, spaghetti code, multiple entry and exit points from 
functions, etc).  We got past it.

We need a similar revolution in thought with regard to security, and 
some one to take the lead on providing clear, crisp examples of coding 
style that is more secure by its nature.  I don't have one handy - but 
that's my wish.

Ed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060830/d6c25b2c/attachment.html

More information about the SC-L mailing list