Microsoft To Teach Undergrads About Secure Computing

gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

My old uni already offered such a course..

[weebler]

Apparantly, it is (well it was at the time when I still was at the University) one of the only places in the world to teach this course. It was also my favourite module.

You can find a description here.

The only difference is that this module was intended to make undergrads see the failure and risk by means of software engineering, and we did this by looking at various procedures for writing secure code, and we looked at lots of examples from history (the challenger incident, for example, etc).

This course seems to be aimed more at specific coding practices - avoiding buffer overruns for example. It doesnt look like they'll be told how to deal with failure once it happens (because it *will* happen). I also fear that since Microsoft will be involved, it'll be specific to Windows & x86 -- not a real life view of computing.

Fascinating

[MadFarmAnimalz]

I was wondering how OS-agnostic these courses are going to be, when I came across this quote:

Okin agreed: "We need to get input from others as well. Clearly, there is no point in these undergraduates learning only about Microsoft technology. We need a broad approach."

The reason I wondered was because so much of secure programming involves access control in many ways, direct and indirect. Obviously, Microsoft's access control mechanisms vary wildly from Unix paraadigms. I'm not a hardcore programmer, but I can only assume that priviledge escalation exploits under a Redmond OS would be very different from something similar with linux.

That sentence states unambiguously that the course will cover non-MS architecture.

I, for one, am impressed. Doing the right thing for once, the boys in Redmond.