Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Teach Undergrads About Secure Computing

Posted by timothy on from the step-one-unplug-your-power-cord dept.

gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

5 of 348 comments (clear)

  1. Re:This just in: by abhisarda · · Score: 5, Insightful

    dare we suggest that microsoft start this initiative with its employees first?

  2. Against the grain by FortKnox · · Score: 5, Insightful

    So are you suggesting that no one in MS can teach secure and have secure code?
    Remember. Windows was made over several years and hundreds (if not thousands) of coders. We're talking older code, and thousands of different coders.

    But, hey, anything to insult MS, right?

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  3. Software Verification Is hard.. by Bush_man10 · · Score: 5, Insightful

    I did a course in my computer engineering degree last term called Formal Methods where half the course we spent learning the "Cleanroom" method of coding. To put it simply this method makes you specify functions through math and the prove via math that your code does do what it is intended to do. Projects that have used the cleanroom method have reported roughly 2-3 errors per 1000 lines of code (on the first compile) and over 75% of the code compiles and runs correctly on the first try. They are very impressive number but they come at a cost of a learning curve and spending more time properly defining functions and classes. After doing that course I have a whole new respect for software verification. If anyone wanted to teach how to write secure code they should really invest their efforts in this proven method.

    --
    "I believe in everything in moderation. Including moderation." -Dean DeLeo, Stone Temple Pilots
  4. There's insight in the humor. by melquiades · · Score: 5, Insightful

    Leaving personal politics aside -- whether you agree or disagree -- it's certainly the case that Bush's diplomacy and Microsoft's security have been called into question and are the center of heated debate. In situations like these, the actual facts play only a modest role in shaping public opinion, especially when the "facts" are nebulous, subjective, and largely unquantifiable. There are no established objective measures of computer security, and even less of diplomatic success, that do not rely heavily on retrospective data.

    In debates like these, perception and politics reign. And one surprisingly effective tactic is to assert the point under debate by calmly behaving as if there were no debate and moving on to the next step. If you simply act as if something is true, and act surprised when people question it, listener tend to build consensus around the confidence you project. Certainly the Bush administrations (and, of course, many previous administrations) have used this tactic extensively, and Microsoft seems to be using it now: If they're teaching a course on security, they must know security, right?

    This places those arguing the opposite side (pacifists in the one case, the Slashdot majority crowd in the other) in the awkward position of constantly having to re-establish that the debate is still open, without boring, tiring, or otherwise turning off the only semi-interested public.

    Note that none of all that maneuvering has anything to do with who's actually right.

  5. Maybe I'm just an old fuddy duddy, but. . . by kfg · · Score: 5, Insightful

    I would much prefer that a course in computer security be aligned with a university and good general engineering practice and strictly eschew alignment with any company of any kind.

    Don't they have a *professor* qualified to teach such a course, and if not, why would anyone go there?

    Maybe I'm just being a *cynical* old fuddy duddy, but I smell payol. . . er, a donation. Ah yes, there it is at the end of the article. Go figure.

    I also strongly suspect that day one will *not* feature a lecture on the benefits of UNIX, how to uninstall Outlook Express or the security features built into Sun Java.

    Which is precisely the reason an institute of higher learning should shy away from such blatant association with a particular company who has a vested interest in the field.

    What's going to be next, the Christian Science Monitor Chair of Internal Medicine or Powerbar Chair of Exercise Physiology?

    KFG