Security Education - presentation experience

>> Subject: Re: Security Education in the Workplace
>> From: "Secterm ." <securityterminal@hotmail.com>
>> Date: Mon, 09 Dec 2002 12:33:58 -0700
>>
>>
>> Most certainly agree. For the past year I've been giving

I've had a somewhat similar experience. I've given talks on how to write secure programs, including at FOSDEM. My slides (as well as the book they're based on) are available at http://www.dwheeler.com/secure-programs.

Generally, it's been very well attended and received. At FOSDEM, I had 248 attendees, even though I was competing with an extremely interesting talk on another track (specifics about that talk are at http://www.dwheeler.com/essays/fosdem2002.html). Even more interestingly, nearly half (around 150) flooded in _specifically_ for my talk on writing secure programs, and a number left afterwards. I've given the talk at other places too (such as at the Software Productivity Consortium).

I definitely agree that info on secure coding ought to be mandatory in colleges and universities, at least as a chapter somewhere.

My presentation only takes one hour (it's a very busy hour!). Obviously, a one hour presentation is not going to make any developer an expert on writing secure programs. On the other hand, after a one hour presentation, that developer knows more than 99.99% of all other developers about how to develop secure software, including all the major pitfalls that cover over 98% of the vulnerabilities being currently found. If the goal is to make things better, that DEFINITELY counts as making things better.

• David A. Wheeler dwheeler@ida.org