Security Education - presentation experience

From: David Wheeler (dwheelerat_private)
Date: Thu Dec 12 2002 - 10:10:50 PST

Next message: Michal Zalewski: "[RAZOR] Problems with mkstemp()"

Previous message: David Wheeler: "Re: secprog Digest 8 Dec 2002 02:29:20 -0000 Issue 121"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> Subject: Re: Security Education in the Workplace
>> From: "Secterm ." <securityterminalat_private>
>> Date: Mon, 09 Dec 2002 12:33:58 -0700
>>
>>
>> Most certainly agree.  For the past year I've been giving 
>> presentations and talks for both my employer and at my local college 
>> on secure coding (and security in general).  I've been trying to get a 
>> class and/or a section dedicated to security at the college for years 
>> to come now.  With no luck I decided just to start giving my own 
>> talks.  I've found that most students are very interested in the topic 
>> and usually have a turn out of 30 or 40 people.  If nothing else I 
>> find that I learn just as much if not more by preparing and giving the 
>> talks.
>>
>> -John.
>>
>> <snip>
>>
>>>
>>> 1. Developers of course. Like you mention the Boot Camp, and someone 
>>> had earlier suggested, maybe secure coding ought to merit a
>>> chapter in regular programming courses in colleges and universities, 
>>> if not an entire course.


I've had a somewhat similar experience.  I've given talks on
how to write secure programs, including at FOSDEM.
My slides (as well as the book they're based on) are available at
http://www.dwheeler.com/secure-programs.

Generally, it's been very well attended and received.
At FOSDEM, I had 248 attendees, even though I was competing with
an extremely interesting talk on another track (specifics about
that talk are at http://www.dwheeler.com/essays/fosdem2002.html).
Even more interestingly, nearly half (around 150) flooded in
_specifically_ for my talk on writing secure programs, and a number
left afterwards.  I've given the talk at other places too
(such as at the Software Productivity Consortium).

I definitely agree that info on secure coding ought to be mandatory in
colleges and universities, at least as a chapter somewhere.

My presentation only takes one hour (it's a very busy hour!).
Obviously, a one hour presentation is not going to
make any developer an expert on writing secure programs.
On the other hand, after a one hour presentation, that developer
knows more than 99.99% of all other developers about how to develop
secure software, including all the major pitfalls that cover over 98%
of the vulnerabilities being currently found.  If the goal is to
make things better, that DEFINITELY counts as making things better.

--- David A. Wheeler
     dwheelerat_private

Next message: Michal Zalewski: "[RAZOR] Problems with mkstemp()"
Previous message: David Wheeler: "Re: secprog Digest 8 Dec 2002 02:29:20 -0000 Issue 121"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 11:46:02 PST