When I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas -- data structures, machine structures, algorithms, etc. The languages with which you chose to illustrate those concepts were secondary to the concepts themselves. I believe most leading research universities emphasize concepts over mechanics in a similar fashion. However, some computer science departments focus on teaching particular languages rather than broad programming concepts. I always found this method of studying programming odd. Language is simply syntax, and those trained in the concepts of programming should be able to pick any language up along the way. Think of it this way; if I asked a child to simply memorize multiplication tables through the 10s table then he or she would know 5x5=25. But would the child be able to figure out that 11x12 = 132? Probably not, because in the process of memorizing the answers to each equation, he or she didn’t learn the concept behind multiplication. If the student thought about it long enough, he or she may notice the pattern of how multiplication works, but why teach it that way? Isn’t it smarter to teach the concept so students can figure out the answer to any problem, not just have the responses for a set number of problems they were asked to memorize? In fact, this is exactly the rationale behind the Singapore Math approach, a teaching method that’s growing in popularity among US homeschooling families. Not surprisingly, Singapore is consistently ranked near the best in the world in mathematics achievement. When I read the article, Lesson 1: How We Can All Be Great Developers in Forbes my first reaction was: this makes a lot of sense. Teaching the concepts of programming will help future programmers be more creative, more innovative, and more efficient, which will benefit their employers greatly. Now imagine if while learning these concepts they were also taught the principles of secure programming. They would internalize security concepts to the point where thinking “should I trust this input?” becomes as second nature as “how can I optimize this loop?” As with multiplication tables, memorizing which APIs to use in every programming language is not important. Of course the other side of this coin means programmers may enter the workforce with less knowledge around coding style. Employers may need to be patient as new developers get up to speed on a certain language. However, if a developer understands the foundations of programming, he or she should be able to pick up the particulars of any language quickly. And while that may mean productivity isn’t as high at first, it also means that once the developer fully ramps up, he or she will ultimately be more productive and more secure in the long run.
To Be a Secure Developer, Learn the Fundamentals
Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.