Why you should teach secure programming


I found this interesting. It is from CERT (US Computer Emergency Readiness Team)


This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.


That sure is a lot of vulnerabilities. The message I get from this is that we really need to do a lot more to train people to write secure code. It should start in school I think. The bad habits start there. Companies can do more training, Microsoft has a lot of secure programming training for their developers, but that seems late in the process to me.


There are a number of things that seem to get left behind while teaching introductory programming. Documentation is one although more and more people are trying to include that in the process. Error handling and data verification are another. Security and secure programming, which is closely related to error handling and data verification, often gets less than a mention. I think that we have to rethink fitting those issues into the educational process earlier in the cycle.


I think we need students to understand that security is something that is designed into the software and not an add-on. The mind set is what needs to be worked on. Students get lazy in a sense because they can write code with security and data holes without getting a bad grade. While I don't think we can or need to add a tight security standard in all assignments I think that we have to teach the concepts, the mindset and the awareness of the issue stating from a first course.


Comments (1)

  1. I definitely agree as a student of computer science. I know Michael Howard, coauthor of Writing Secure Code has education as a pet peave as well. I definitely bring up integrating more robust (and consequently secure) programming methods in student advisory meetings to the CS department. I have had success in getting the OS teacher (where C is used) to start switching to strncpy instead of strcpy since you can’t prevent a buffer overflow with strcpy.

Skip to main content