Interview Questions for Sue Bogar and Dawn Block
I took the questions you had asked the 341 professors and asked some similar questions to the 201 instructors. Basically 201 is the introductory computer science course for majors. The majority of the students in this course are freshman and have very little formal experience with programming or computer science in general. While many of the concepts of “defensive programming” might elude their limited understanding, there are several foundations that can be laid and embellished during later courses.
In my opinion, the most important security concepts to make students aware of at this level are:
· The harm that programming errors and poorly secured code cause
o Damage to space program (classic ill. of metric/English)
o widespread cyber-events against companies, gov’t, & education
o financial impact of stolen credit cards or more serious bank account fraud
(I took this right from your paper doug, I think this would be an excellent course to illustrate the dangers of poorly written code. While the students might not understand exactly whats going on in the examples, they will understand the gravity of the situations and realize their role in preventing them. )
· Common insecure practices that might be encountered at this level
o Data left un-validated.
§ Can result in unexpected behavior in programs and invalid results.
o Segmentation faults due to accessing outside the bounds of an array.
o Printing data from the wrong memory addresses
§ Can potentially access and send sensitive information
o use of insecure functions strcpy(), gets(),
· Poorly commented and non-standardized code and how it can contribute to security problems.
Questions/suggestions for places to incorporate security into CMSC-201
There aren’t really many places where you an specifically talk about security and give detailed examples due to the students limited experience, however there are plenty of opportunities to include “pointers” throughout both the lecture notes and the discussion notes. There are also opportunities to make sure students use these defensive programming practices in the five projects they are assigned during the semester.
Both Sue and Dawn were a bit reticent when it came to altering the curriculum primarily because they felt that the students were faced with a very overwhelming task just learning the material already included in the curriculum. Further complicating the situation is the students lack of experience with concepts such as stacks, heaps, memory management and advanced programming practices. Everybody seemed to think that security belonged in some other course, but nobody wanted it in theirs.
One of the first steps that the instructors thought would be beneficial would be to incorporate warnings whenever possibly dangerous behaviors were involved. The concentration of 201 is not only to teach the students the C programming language, but to teach them HOW to program effectively. To this purpose, there is already great stress placed on input validation. Further emphasis can be illustrated with security case studies to really drive the point home. Neither Sue nor Dawn were very familiar with security issues beyond the basic dangers inherent to the language.
Both of the instructors thought that it would be a good idea to discuss potentially dangerous functions such as gets() and they typically mention this in lecture and have TA’s go into greater depth during the discussion section.
One of the greatest obstacles that we face in this course is that while the lecture notes are written each semester by the instructors, TA’s take turns writing the notes for their discussion sections. This allows the TA’s the opportunity to gain experience in preparing teaching material. The problem with this is that the notes change every semester, and there is no standardized format for notes (the discussion section notes are merely required to discuss lecture topics in greater depth) this results in TA’s with particular strengths and interests incorporating those interests into the discussion notes. While the notes are peer reviewed and ultimately accepted or rejected by the instructors based on the validity of the content, there is no requirement for security to be stressed. It’s pretty easy to look at three different versions of the same discussion from three different semesters and pick out similar concepts, but those concepts might be addressed differently depending on the TA’s background and the examples used. This makes things difficult because the pool of TA’s is constantly changing, and even if we get the instructors to incorporate “defensive programming” practices into their lectures, we would have to constantly reiterate the point with the new TA’s every semester.