[SC-L] Fwd: re-writing college books - erm.. ahm...

Matt Bishop bishop at cs.ucdavis.edu
Tue Nov 7 12:56:42 EST 2006 

Folks,

A comment based on an idea we tried here.

> Well, I never recieved any replies here on what's already being  
> done.. so
> now, I am asking for ideas on how we can approach schools. What's  
> needed,
> in order for basic CS classes to have a security orientation?

Ideally, I agree with the sentiment but would quarrel with the  
wording :-). On a practical level, I think this is very unlikely to  
happen. For example, one problem is those classes are already  
overloaded with how to program *plus* language stuff. You can only do  
so much in 10 or 15 weeks (depending on whether you're on the quarter  
or semester system).

An alternative to focusing on the introductory classes is to provide  
support for programming throughout the curriculum. But the big  
problem is overloaded classes--we try to teach too much material now.  
Telling an algorithms instructor she also needs to teach some  
security will fail on at least two counts: (1) "How do I teach the  
required course material *plus* security?" (2) "How do I learn enough  
about security to know what to teach and how to teach it? And where  
do I find the time to learn this?" So I don't think adding more  
material to existing classes will work.

So let's take a page from English departments and/or law schools.  
Both have writing clinics--they are separate from classes, and  
provide reviews of written papers before those papers are turned in.  
The ones I'm familiar with do *not* address content, but they *do*  
address mechanics (grammar, punctuation, etc.) and expression--does  
the writing make sense, is it well organized, and so forth. Why not  
establish something similar for programming?

You could work this in a number of ways. The one we've tried here was  
to require the students to write the program and then meet with  
someone working in the clinic. The clinician went through the program  
with the student, pointed out potential problems and bad programming  
practices, and (when appropriate) security issues. No grading  
occurred, but the student could rewrite the program to fix the  
problems pointed out (and others that the student found--the  
clinician did not try to find all the problems, just enough to show  
the student what types of problems were there).

We did some very informal testing, and the results were promising. If  
anyone's interested, we did a write-up of it; see:

http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/

I need to emphasize the results are informal because we weren't  
educational metricians. Our next step (assuming we can get the  
funding) will be to devise formal metrics and do some more rigorous  
measurements to see how well the clinic works.

The interesting point about the clinic is that it appeared to be  
effective at both introductory and upper division levels, provided  
the students used it. It also would provide reinforcement throughout  
the student's undergraduate education, and give the student more of a  
chance to absorb good programming practices than do one or two  
classes that focus on those aspects of programming.

Just a thought ....

Matt

==================================
Matt Bishop
Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562
United States of America

phone: +1 530 752 8060
fax: +1 530 752 4767
web: http://seclab.cs.ucdavis.edu/~bishop

More information about the SC-L mailing list