Why (Secure) Coding is Cool

IBM KeypunchI learned to code (we called it “programming” then) when I was a sophomore in high school. It was the first opportunity I had. We used a mainframe and mark-sense coded cards (yes, I am that old) to program in BASIC. The teacher took the cards each week and brought them back the next. I was glad when I got to learn FORTRAN and use an actual keypunch (026 for those into historical computing) the next year. In a high school of 2000 students, there were fewer than twenty in the programming class.

In a March 29th interview on Fox News, Zach Sims, co-founder of Codecademy talked about the importance of teaching people to code. (Of course, he has some interest in that area…) I strongly agree that learning to code is important in many disciplines. It also helps organize one’s thought and can, in and of itself, lead to more income: my first university job was helping people with software (along with running a computer lab) and my first real consulting job was coding.

But in my mind there is a pair of caveats one has to consider: anyone learning to code should learn to code correctly and securely. “Correctly” is clearly subjective on its face. What I mean by that is that one needs to learn how to program efficiently, do documentation, test code, and so forth. I’ll let the programming authors of this blog talk more about “correct” programming (or whether or not there is such a thing).

My concern here is that people learn to code securely. People need to learn to handle errors, avoid cross-site scripting, use data structures properly (no going off the end of an array or linked list), catch and throw errors, and everything else needed to make programs robust. The problem is, people are generally taught to get coursework programs working as opposed to working robustly and safely. In real life it matters if, when a program crashes (which it must not), the laser is left on or turned off. It may be a matter of life or death.

We continue to see software that behaves poorly with unexpected input or that doesn’t require authentication for potentially harmful actions. I attribute this to homework assignments that don’t require these. I should know – I’ve given them. I can recall only one university class I took that even mentioned buffer overruns and other programming errors. When I started teaching, I likewise didn’t teach nearly enough of that. We now make a big deal of it in Learning Tree’s System and Network Security Introduction. Some participants have stressed the importance of delivering software quickly and bemoaned the lack testing time. But, in my mind it is a case of “if you don’t have time to do it right, when will you have time to do it over?”.

I can see students with “Coding is Cool” t-shirts on high school campuses and even at middle schools. I know students in very early grades have for years been taught to program. The turtle with the pen that was programmed with Logo was quite popular years ago. We need to teach them to program well early-on. Help encourage teachers to engender good practices from the beginning; it’s hard to unlearn bad habits. I know – I’ve been there.

Let us know in the comments what else we can do to encourage coders to learn to program safely?

To your safe computing
John McDermott

PS – If you are late to the coding game, have a look at our new, 1-day online course – Jumpstart to Programming and acquire the fundamental skills and knowledge required to get you started programming!

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.