Additional profile information on Alfred Thompson at Google+
I found this interesting. It is from CERT (US Computer Emergency Readiness Team)
This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.
That sure is a lot of vulnerabilities. The message I get from this is that we really need to do a lot more to train people to write secure code. It should start in school I think. The bad habits start there. Companies can do more training, Microsoft has a lot of secure programming training for their developers, but that seems late in the process to me.
There are a number of things that seem to get left behind while teaching introductory programming. Documentation is one although more and more people are trying to include that in the process. Error handling and data verification are another. Security and secure programming, which is closely related to error handling and data verification, often gets less than a mention. I think that we have to rethink fitting those issues into the educational process earlier in the cycle.
I think we need students to understand that security is something that is designed into the software and not an add-on. The mind set is what needs to be worked on. Students get lazy in a sense because they can write code with security and data holes without getting a bad grade. While I don't think we can or need to add a tight security standard in all assignments I think that we have to teach the concepts, the mindset and the awareness of the issue stating from a first course.
The ACM is looking to select the 20 favorite computer science book (as picked by ACM members) and make the full text available to the membership. To this purpose the ACM has set up a wiki so that members can discuss the books that have been nominated. The eligible books are all out of print. There is a second list of books still in print though. The web site is http://pd.acm.org/books/classics/camp.cfm
I looked though the list for a while this evening. I was amazed at how many of the books on the list I was familiar with. Some of them are still on my book shelves. Others I used for reference while I was in college or earlier in my career. I know that people tend to thing that any book about computer science is obsolete in a year or two but I was pleased to see some classic books for the 60s and 70s are still in print. Concepts! Concepts do not seem to change as often as implementations.