Foundations for Security Aware Software Development Education

Most instances of software exploitation are really software failure. Even though we cannot eliminate vulnerability from modern information systems, we can reduce exploitable code long term with sound, robust development practices. We argue that the current hot topic of so-called "secure coding" represents commonly taught coding techniques that ensure robustness, rather than ensuring any commonly understood concept of security. Weaving the practice of rigorous coding techniques into curriculum is essential — coding for security is useless apart from fault-tolerant foundations. However, security-specific coding techniques need to be integrated pedagogically alongside robustness so that students can differentiate the two. We propose in this paper a shift in instructional methods based on this distinction to help future programmers, developers, and software engineers produce "security-aware" software.