Putting Security back into the Code: experiences in teaching secure coding
Cybersecurity is one of the hottest topics in the computing industry. From end-to-end network security to secure cloud computing, security has to be addressed from all aspects of software design and implementation. While some common coding security violations are well known and easily scanned for and prevented (buffer overflows, SQL injection, etc.) relatively little attention has been given to writing secure code. For large-scale coding, variants of C and C++ (with perhaps some Java) remain the most widely used languages. However, as a quick examination of almost all widely used introductory textbooks will show – very little attention is paid to teaching “secure coding”. Instead, developers typically learn some fluency in a programming language, with the emphasis on getting it to execute, and later learn coding security almost as an afterthought. In the Spring 2015 semester, Stephen F. Austin State University decided to teach a course on “security in coding” at my university. This presentation will be a summarization of the success in teaching the course. The approach used in the course was to take the security features (or lack of security features) in a wide number of programming languages (such as C, C++, Java, Ada, and others) that are typically used, or have been used, in highly reliable secure programming endeavors. There are common topics in each language that invite a security-conscious comparison to other languages. Such topics were: • General Architecture of the language (including libraries and other importable items • Typing (no typing, weak or format-compatible typing), strong or named typing • Real-time processing (internal vs. operating-systems timing calls) • Parallel processing (process spawning, the rendezvous approach, threads, protected records) • Inter-task communication • Procedure and function call and side-effects • Memory management (OS vs. language protocols) • Error and exception handling • Restricting operations on types (private and limited private types) This presentation will summarize the results of the class, and also discuss how selected topics (such as strong typing, error and exception handling, and memory management) could be adapted to a more technical-based course that could be used in a real-world environment to improve the secure coding skills of developers.
This presentation has not yet been uploaded.
No handouts have been uploaded.
David Cook (Primary Presenter,Author), Stephen F. Austin State University, email@example.com;
Dr. David A. Cook is Associate Professor of Computer Science at Stephen F. Austin State University, where is teaches Software Engineering, Modeling and Simulation, and Enterprise Security. Prior to this, he was Senior Research Scientist and Principal Member of the Technical Staff at AEgis Technologies, working as a Verification, Validation, and Accreditation agent supporting the Airborne Laser. Dr. Cook has over 40 years' experience in software development and management. He was an associate professor and department research director at USAF Academy and former deputy department head of Software Professional Development Program at AFIT. He has been a consultant for the Software Technology Support Center for 19 years. Dr. Cook has a Ph.D. in Computer Science from Texas A&M University, is a Commissioner and Team Chair for ABET, Past President for the Society for Computer Simulation, International, and Chair of ACM SIGAda.
Eugene Bingue (Co-Presenter,Co-Author), U.S. NCTAMS-PAC, firstname.lastname@example.org;
Dr. Eugene Bingue is an IT Planner for NCTAMS-PAC. He is NCTAMS Division Chief for Contract Management and COR for MUOS, SATCON and other NCTAMS PAC systems. Bingue has over 40 years experience in communication and computer systems development and management. He was a key player in standing up the first Theater Geospatial Database (TGD) in the U.S. Army, USARPAC G2. He was a Software Engineer in the Satellite Control and Simulation Division at the U.S. Air Force Phillips Laboratory. Bingue was instrumental in the architecture design of the MAGIC satellite health and status system for Space Command. He was the lead software engineer for the development of the Reactor Control Unit for the Russian Topaz II space base nuclear reactor.