/jun 21, 2013

To Be a Secure Developer, Learn the Fundamentals

By Chris Eng

Basic Fundamentals of ProgrammingWhen I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas -- data structures, machine structures, algorithms, etc. The languages with which you chose to illustrate those concepts were secondary to the concepts themselves. I believe most leading research universities emphasize concepts over mechanics in a similar fashion. However, some computer science departments focus on teaching particular languages rather than broad programming concepts. I always found this method of studying programming odd. Language is simply syntax, and those trained in the concepts of programming should be able to pick any language up along the way. Think of it this way; if I asked a child to simply memorize multiplication tables through the 10s table then he or she would know 5x5=25. But would the child be able to figure out that 11x12 = 132? Probably not, because in the process of memorizing the answers to each equation, he or she didn’t learn the concept behind multiplication. If the student thought about it long enough, he or she may notice the pattern of how multiplication works, but why teach it that way? Isn’t it smarter to teach the concept so students can figure out the answer to any problem, not just have the responses for a set number of problems they were asked to memorize? In fact, this is exactly the rationale behind the Singapore Math approach, a teaching method that’s growing in popularity among US homeschooling families. Not surprisingly, Singapore is consistently ranked near the best in the world in mathematics achievement. When I read the article, Lesson 1: How We Can All Be Great Developers in Forbes my first reaction was: this makes a lot of sense. Teaching the concepts of programming will help future programmers be more creative, more innovative, and more efficient, which will benefit their employers greatly. Now imagine if while learning these concepts they were also taught the principles of secure programming. They would internalize security concepts to the point where thinking “should I trust this input?” becomes as second nature as “how can I optimize this loop?” As with multiplication tables, memorizing which APIs to use in every programming language is not important. Of course the other side of this coin means programmers may enter the workforce with less knowledge around coding style. Employers may need to be patient as new developers get up to speed on a certain language. However, if a developer understands the foundations of programming, he or she should be able to pick up the particulars of any language quickly. And while that may mean productivity isn’t as high at first, it also means that once the developer fully ramps up, he or she will ultimately be more productive and more secure in the long run.

Related Posts

By Chris Eng

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE's CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.