I took my first computer programming class in 1973. It involved making pencil marks on Hollerith cards to create statements in BASIC. That led me to take a programming class the next school year. That class was an introduction to programming in FORTRAN. I was a high school junior and while I loved the class, it meant getting up and getting to the University or the local trade school (now a community college) by 6am in order to use their computers . Those were the days when mainframes were basically all there was. (Yes, there were smaller computers but they were generally dedicated to research or other tasks.)
After high school I went on to university and got a Bachelor’s degree in Computer Engineering. I can still remember many of the courses and how they worked. I remember the transition from punched cards to slow printing terminals and then to serially-connected CRT devices. I remember learning languages such as C, Pascal, Lisp, SIMSCRIPT, Snobol and COBOL. In all that time I do not remember a single discussion of computer security. Even in graduate school most security discussions we had were about encryption.
Today, of course, children learn to program before high school – many of them learning at least basic programming techniques in “grade school”. By high school some children are learning to attack other systems. There are frequent stories in the news about children breaking into school computers. (One of my favorites was about a student who wanted to delay his semester grades, if I recall correctly. On a Friday night or Saturday he tried repeatedly to log into his teacher’s account with gibberish, knowing that eventually he – and his teacher – would be locked out of the system until the following week, thus delaying the posting of grades.)
I have talked with high school teachers about teaching secure programming techniques to their students. None I spoke with do so. To be fair, I suspect few if any of them know about secure programming techniques. That is not an indictment of their skills, by the way, but an indictment of the way they were taught.
Why is this so important? It is because the overwhelming majority of attacks on computers would not be possible if the systems had been designed securely in the first place.
I began teaching programming in 1979 at the University of New Mexico. I taught FORTRAN, C and assembler programming. I also taught at a trade school (the same one whose computer I’d used in high school) and I taught programming for Learning Tree for many years. I confess that I only taught a very small number of secure programming techniques in those years.
Why didn’t I teach that stuff? I’ll admit that it was partly out of ignorance. There is more to it, though and I’ll write more about it next week. For now, I’d like to ask readers who are programmers to think about when, if ever, you were taught secure programming skills and let us know in the comments below. If you aren’t a programmer, or if you didn’t learn secure programming techniques. We do discuss some of the basic issues in our introduction to System and Network Security course. So sign up for that where we’ll expand on secure programming and other topics I’ve written about here.