Presented at
DEF CON 17 (2009),
Aug. 2, 2009, 11:30 a.m.
(20 minutes).
Hack the Textbook: Introducing The Textbook Security Project
Why do we have so many software security problems? Clearly, a large proportion are caused by poorly written code. Why is our code so badly written? There are many reasons, not the least of which is that writing secure code can be a difficult task. However, the problem is compounded by most programmers having been taught insecure coding practices.
The majority of the most popular and widely used college textbooks for programming never cover any security concepts. Worse, they actually teach practices that result in insecure code. For some time now, companies trying to produce secure software have been complaining that college courses and course materials fail to prepare students to write secure code, and they are tired of having to retrain recent graduates in secure programming practices.
The insecure code problem is compounded by the fact that many of the professors and instructors who teach programming are not security experts. Even if they could identify and correct the "security bugs" in textbooks, it is difficult for them to teach what is not in the textbooks or to try to teach differently from the textbooks.
Attempts by some in the academic community to get authors and publishers to include security content in textbooks has actually been met with resistance. Many in academia believe that if there were a true need for secure software development to be taught, it would be a "self-correcting problem that would be addressed by textbook authors."
The objective of The Textbook Security Project is to publicly expose the security flaws in popular textbooks, and to encourage authors to revise their books to use secure software development practices. The immediate goal of the project is to provide lists of textbooks to be critiqued and to allow security professionals to post reviews exposing a textbook's security flaws. The project also plans to provide resources to help authors identify and correct problems in their books, and to help new authors get security right the first time. The long term goal of the project is to change security from being a subject that is taught as a senior level course, to security becoming an integral part of the entire computer science curriculum.
Presenters:
-
Jon R. Kibler
- Chief Technical Officer Advanced Systems Engineering Technology, Inc.
Mr. Jon Kibler is a Systems Architect for Advanced Systems Engineering Technology in Charleston, SC, where he also serves as the Chief Technical Officer. He has over 37 years experience in information technology and has worked in a variety of industries including: aerospace, defense, systems engineering, manufacturing, communications, utilities, transportation, information services, general business, banking, financial services, wholesale and distribution, retail and point of sales, health care, security, technical training, and consulting. His emphasis for the last 10 years has been systems and network security consulting, design of high security high availability networks, software security, and security research.
Mr. Kibler's background in security extends back to the mid-1970s when he first learned penetration testing skills while working on a defense department contract. He is a Certified Ethical Hacker and teaches several different ethical hacking and penetration testing courses. He also teaches a variety of other security courses, and presents seminars on security to professional groups and the general public.
Mr. Kibler regularly works with several different academic institutions on developing security curricula that better prepare students to address real world security issues when they reach the work place. He is also the founder of The Textbook Security Project whose goal is to have security become an integral part of every aspect of a computer science student's education.
-
Mike Cooper
- Senior Security Engineer, IPC Systems
Mr. Michael Cooper is the Senior Security Engineer at IPC Systems, Inc. where works on the product development side of security. Previously, he worked at the Center for Software Engineer Research at Florida Tech under Dr. James Whittaker for three years researching security and executing penetration testing contracts for commercial and DOD cleared projects. When the lab was spun off into the startup company Security Innovation, with James as the founder and Chief Scientist, Mike joined SI for over 5 years as a Security Engineer Lead, including a stint at its sister company SI Government Solutions working exclusively on DOD contracts. At SI, Mike was responsible for executing and leading pentests, code reviews, PCI audits, and even some eLearning development. Mike has a B.S. in Computer Engineering and a M.S. in Computer Science from Florida Tech.
Links:
Similar Presentations: