Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Teach Undergrads About Secure Computing

Posted by timothy on from the step-one-unplug-your-power-cord dept.

gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

12 of 348 comments (clear)

  1. This just in: by B3ryllium · · Score: 5, Funny

    President George W. Bush will be teaching a course in diplomacy ...

    1. Re:This just in: by abhisarda · · Score: 5, Insightful

      dare we suggest that microsoft start this initiative with its employees first?

    2. Re:This just in: by TopShelf · · Score: 5, Funny

      don't forget the Arthur Andersen Advanced Seminar on Corporate Accounting!

      --
      Stop by my site where I write about ERP systems & more
  2. Other suggested instructor - course pairings by isomeme · · Score: 5, Funny
    • Imelda Marcos, "Financial Responsibility"
    • George W. Bush, "Diplomacy and Coalition Building"
    • Apple, "Marketing Your Invention" (co-sponsored by Xerox)
    --
    When all you have is a hammer, everything looks like a skull.
  3. Against the grain by FortKnox · · Score: 5, Insightful

    So are you suggesting that no one in MS can teach secure and have secure code?
    Remember. Windows was made over several years and hundreds (if not thousands) of coders. We're talking older code, and thousands of different coders.

    But, hey, anything to insult MS, right?

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  4. My old uni already offered such a course.. by weebler · · Score: 5, Interesting
    Apparantly, it is (well it was at the time when I still was at the University) one of the only places in the world to teach this course. It was also my favourite module.

    You can find a description here.

    The only difference is that this module was intended to make undergrads see the failure and risk by means of software engineering, and we did this by looking at various procedures for writing secure code, and we looked at lots of examples from history (the challenger incident, for example, etc).

    This course seems to be aimed more at specific coding practices - avoiding buffer overruns for example. It doesnt look like they'll be told how to deal with failure once it happens (because it *will* happen). I also fear that since Microsoft will be involved, it'll be specific to Windows & x86 -- not a real life view of computing.

  5. Courses? by sevensharpnine · · Score: 5, Funny

    Suggested course offerings follow:

    CSI1001: Introduction to the necessity of 3rd-party security modules in a Microsoft environment

    CSI1002: Trusted++ computing--how to manage your defenseless box on a multi-million node internet

    CSI2001: Rapid HotFix/Service Pack deployment

    CSI2002: (Continuation of 2001) Rapid HotFix/Service pack undeployment

    CSI3001: Microsoft and you--Introspectives on long-term site licensing and vendor lock-in

    --
    "God is a comedian playing to an audience too afraid to laugh." -Voltaire
  6. Software Verification Is hard.. by Bush_man10 · · Score: 5, Insightful

    I did a course in my computer engineering degree last term called Formal Methods where half the course we spent learning the "Cleanroom" method of coding. To put it simply this method makes you specify functions through math and the prove via math that your code does do what it is intended to do. Projects that have used the cleanroom method have reported roughly 2-3 errors per 1000 lines of code (on the first compile) and over 75% of the code compiles and runs correctly on the first try. They are very impressive number but they come at a cost of a learning curve and spending more time properly defining functions and classes. After doing that course I have a whole new respect for software verification. If anyone wanted to teach how to write secure code they should really invest their efforts in this proven method.

    --
    "I believe in everything in moderation. Including moderation." -Dean DeLeo, Stone Temple Pilots
  7. Fascinating by MadFarmAnimalz · · Score: 5, Interesting

    I was wondering how OS-agnostic these courses are going to be, when I came across this quote:

    Okin agreed: "We need to get input from others as well. Clearly, there is no point in these undergraduates learning only about Microsoft technology. We need a broad approach."

    The reason I wondered was because so much of secure programming involves access control in many ways, direct and indirect. Obviously, Microsoft's access control mechanisms vary wildly from Unix paraadigms. I'm not a hardcore programmer, but I can only assume that priviledge escalation exploits under a Redmond OS would be very different from something similar with linux.

    That sentence states unambiguously that the course will cover non-MS architecture.

    I, for one, am impressed. Doing the right thing for once, the boys in Redmond.

    --
    Blearf. Blearf, I say.
  8. There's insight in the humor. by melquiades · · Score: 5, Insightful

    Leaving personal politics aside -- whether you agree or disagree -- it's certainly the case that Bush's diplomacy and Microsoft's security have been called into question and are the center of heated debate. In situations like these, the actual facts play only a modest role in shaping public opinion, especially when the "facts" are nebulous, subjective, and largely unquantifiable. There are no established objective measures of computer security, and even less of diplomatic success, that do not rely heavily on retrospective data.

    In debates like these, perception and politics reign. And one surprisingly effective tactic is to assert the point under debate by calmly behaving as if there were no debate and moving on to the next step. If you simply act as if something is true, and act surprised when people question it, listener tend to build consensus around the confidence you project. Certainly the Bush administrations (and, of course, many previous administrations) have used this tactic extensively, and Microsoft seems to be using it now: If they're teaching a course on security, they must know security, right?

    This places those arguing the opposite side (pacifists in the one case, the Slashdot majority crowd in the other) in the awkward position of constantly having to re-establish that the debate is still open, without boring, tiring, or otherwise turning off the only semi-interested public.

    Note that none of all that maneuvering has anything to do with who's actually right.

    1. Re:There's insight in the humor. by arkanes · · Score: 5, Informative
      Microsoft Press publishes one of the best books I've ever seen on writing secure code (called, suprisingly, Writing Secure Code, ISBN 0-7356-1588-8). It's written by 2 MS engineers. I'd say there certainly are people at MS who're very qualified to talk about security, and, hopefully, those will be the ones teaching the seminars.

      The book talks a great deal about how having secure code is more than just the writing, especially in a corporate environment where you need to enforce standards on multiple programmers and have to deal with the pressures from marketing, etc. I think that, more than incompotent programmers, is what leads to the issues we see at MS.

  9. Maybe I'm just an old fuddy duddy, but. . . by kfg · · Score: 5, Insightful

    I would much prefer that a course in computer security be aligned with a university and good general engineering practice and strictly eschew alignment with any company of any kind.

    Don't they have a *professor* qualified to teach such a course, and if not, why would anyone go there?

    Maybe I'm just being a *cynical* old fuddy duddy, but I smell payol. . . er, a donation. Ah yes, there it is at the end of the article. Go figure.

    I also strongly suspect that day one will *not* feature a lecture on the benefits of UNIX, how to uninstall Outlook Express or the security features built into Sun Java.

    Which is precisely the reason an institute of higher learning should shy away from such blatant association with a particular company who has a vested interest in the field.

    What's going to be next, the Christian Science Monitor Chair of Internal Medicine or Powerbar Chair of Exercise Physiology?

    KFG