As a regular read of Scott Gu’s blog (see blogroll) I often find nuggets of information that are handy for the work that I do, but I also often end up with a few questions 
The latest one that fired up a bit of thought was his post on guarding against SQL injection attacks. The information posted very handy, and is something that I would assume most web developers already know, but it made me wonder how many devs out there are actually aware of these kinds of issues while they’re building their applications.
I starting hacking code together from a young age, and I’ve written my fair share of code that I hope to God never made it onto the web I’d like to think that over the time that I’ve spent reading, writing and working I’ve gained a pretty good coverage of the code security issues that are faced when building all kinds of applications - though I’m sure I have a stack more to learn! One thing struck me though, and that was that almost none of this stuff was covered during my course of formal study at University.
I transferred to different Unis during my time as a student, and out of the 3 that I went to, none of them had any form of code security as part of the core syllabus. Sure, there were special subjects that you could take which focussed on things such as this, including SQL injection, buffer overflows, etc, but you actually had to choose the subject out of a stack of others to get a good amount of exposure to the principles.
As time goes by, it becomes harder and harder for the developer to get themselves into trouble when writing code due to the nature of the languages and the support that you get via the accompanying frameworks - but we do manage to find new and startling ways of creating holes in our softy that the malicious and crafty can exploit.
So I do think that learning at least the basics of code security (particularly in web-based environments) is something that every developer should do. Sure, if you’re using C# you might not have to worry about buffer overflows. If you’re not using an SQL back-end, you won’t have to worry about SQL injection. Regardless of the application and language, there are always different ways in which you can slip up. Coverage should be mandatory in courses at any formal education centre so that budding developers are aware of those issues before they hit the streets. To me, this is as obvious as having English and Maths as mandatory subjects during school if you’re going to work as a coder!
October 13, 2006
you know, as a guy still in school, with all the courses that are forced upon me just to get a freaking BS in CS, the idea of yet ANOTHER forced course does discourage me.
However, the non-student, real world guy who goes and tells people not to use buggy software (read: Microsoft) knows and understands the value of good software coding practices (even if i don’t use all of them myself).
Learning to write good code is important, and learning to do it in the begining is important as well, because you can cut off those bad habits before they start, but when your trying to wrap your head around an assignment which is 3 layers of binary search trees and due in 2 days, your not going to care about those little memory leaks that can occur.And I can only assume the same is true in “real world”.
So although i see the need for coders to learn how to perform their trade properly, i also think the environment that coders exist in also needs to change to give them the time to write the safe and secure code… not the fast and sloppy shit.
October 13, 2006
Interesting point mate. I admit that the workload in Uni was pretty hefty, and yes there were a few subjects in there that were a bit of a mind-job! I guess by saying that I think it should be taught I really mean that it’s something that’s for FYI, rather than something you’ll be tested on.
Assignments and exams in classes have enough to cover without adding this, and yes this would be why there’s enough justification for another whole subject by itself. But that doesn’t mean we can allow ourselves and our future coders to be released into the world without any idea about what it means to write secure software.
Eg. If they teach printf during a C class, then they should explain the dangers of calling that function with a user-inputted string as the format string. If they teach strcpy they should also mention strncpy. The list goes on
There’s no reason they can’t throw these nuggets in so that people are at least aware.
Of course, that’s just my 2c