A Case for Instilling Security as a Core Programming Skill

Building secure software is an extremely important, but difficult task. Insecure software can result in vulnerabilities which allow individual systems or entire networks to be compromised. Historically, software security has been an afterthought as internal red teams or other external reporting means were utilized to uncover vulnerabilities. Currently, software development processes address security issues during the planning stages and include security testing. We take another step, realizing that one key to developing secure software is in the development of software engineers who understand security. Introducing software security during an introductory level course is advantageous as it will help instill software security awareness as part of the basic coding skill set of future software engineers. We present a three step system of instilling software security as a core programming skill using the buffer overflow problem as a sample security topic

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[3]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[4]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[5]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[6]  Matt Bishop,et al.  Teaching Computer Security , 1993, SEC.

[7]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[8]  Wenliang Du,et al.  Testing for software vulnerability using environment perturbation , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[9]  James A. Whittaker How to Break Software : A Practical Guide to Testing , 2002 .

[10]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..