General discussion


Microsoft funds university classes

By editor's response ·
Do you agree or disagree with Jon Yarden's opinion on the value of Microsoft-funded university classes that teach students to identify software vulnerabilities? Let us know if this information, as featured in the April 14 Internet Security e-newsletter, is useful to you.

If you haven't subscribed to our free Internet Security e-newsletter, you're missing out on some great information. Subscribe today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Jon Yarden Commended.

by accounting39 In reply to Microsoft funds universit ...

I concur with the general thrust of Jon Yardens
comments. There is a lot of hype that surrounds the
discovery and discussion of program security
vulnerabilites. What I submit is clearly needed is a
calmer and more rational debate such as his
observations and comments are likelly to encourage. I
totally agree with his observations about where we are
likely to find in the community the security hole finders.
However whilst he is a tad sckeptical of Microsofts
University funding approach it is surely better than
nothing and i believe in this difficult area clearly a step
in the right direction.
I commend Mr Yarden for raising this important issue in
the manner he has done.
Rob Kelly
Melbnourne Australia

Collapse -

No Kidding!

by blue36 In reply to Microsoft funds universit ...

Excellent observation.

Outstanding developers are artists. That's why they spend a good portion of their time criticizing each other's style. It is also why they test their work for "success" and not for "failure". "What happens if the user enters too much data on the command line?" "A user that stupid should not be touching a computer." That's the logic of an artist.

It is a dream to hope that software editors will develop programs that start from the idea of good security practices. Security does not sell software; features do.

This economic reality is the fundamental source of "buggy" source. It is not the "artist".

Collapse -

anyone can't learn art !

by contevlad In reply to Microsoft funds universit ...

I absolutely agree : security and quality software starts with an experienced programmer at design level. Teaching security and experience is something like a 'Become an artist in 10 lessons...' course !

Collapse -

Good Place to Start

by john.murphy In reply to Microsoft funds universit ...

As MicroSoft develops more buggy software than anyone else I suppose they are in an ideal position to point out what not to do if you want to develop more secure code. It may not be ideal but we all have to start somewhere, and teaching developers to be more aware of security can only be a good thing.
On Jon Yarden's comments on good programming being more an artform than a science, I would have hoped that our community would have moved away from that position by now. Yes there definitely is aartform to programming, but there is good art and bad art, it's all in the eye of the user. Teaching the future software developers of the World to be more attuned to good programming practices and security concious is a good place to start.

Collapse -

While I think MS is trying

by HAL 9000 Moderator In reply to Microsoft funds universit ...

I don't think they will succeed as any form of programing actually requires actual experience and while the intention is well placed it will never replace the programmer who's spent the time in writing code for years and who knows the problems inherent in writing code for a living. Of course the main problem is the short time in the projected lifespan of any modern program and this means that the program three generations latter is being writen when a program is realeased as new. So currently we have a group writing code for whatever then another group trying to fix the inbuilt problems while another group is writing several different versions of newer and susposelly easier programs to use.

It seems to me that every 12 months or so we are now getting new versions of a previous program that while having some improvments over its predecessors has more holes to fill and more problems to fix. I long for the good old days when any program was continually refined over years with only minor upgrades durring its life time as these worked well but now as soon as we get something that nearly works correctly it's replaced with something newer so we have to go through the whole process all over again to fix all the inbuilt problems that the new version has been shiped with.

I can remember Word Perfect 5.1 it was around for a very long time and while limited to some extent it did all that was required now we have programs that can do lots more like the lattest offering from Corel in the Word Perfect family {over 10,000 fonts available} with WP 5.1 I think we had about 5-10 fonts to chose from and we just got on with the job now you can spend longer chosing a font than actuually writing the document. Does anybody actually use all the facilities of these modern programs? Or do they just stick with the 10% that they have always used and forget about the rest as being unnecessary?

Collapse -

You are corect sir!

by VirtualJWN In reply to Microsoft funds universit ...


I wholeheartedly agree with your column. I was a corporate sys admin, programmer, salesman, trainer, PR guy at one of the now ?big two" car companies in the US for many years.

I refer to programming as Alchemy, neither entirely a sciencean art but somewhere in between!

Microsoft built this house of cards, and now everyone has to live in it! It is a company built on a lie, particularly that they write software!

Microsoft appears to have a singular contempt for college students particularly Computer Science folks, I never have figured out why this is exactly maybe because they were founded by ?baby boomers? or because Gates was a college drop out, who knows.

Good programming practices are lost on most if not all programmers these days. Modern developers don?t know or care about optimization, information hiding, or encapsulating code or data.

These folks are ever dependent on the care (or carelessness) of the person who wrote the class libraries that their programs use to do ?complex things?.

Their programs, more closely resembling scripts than actual programs due to the "canned code" use class libraries to reduce the skill level required to develop code.

The "want to be" programmers who have embraced VB since its inception are the biggest culprits of this.

Standardized Class libraries (not to mention C++ C# and the .net initiative), are all ways that generally poor programming can propagate throughout an enterprise environment (or the world for that matter).

Biggest problem is how to throw out the bathwater (Microsoft induced poor programming) without throwing out the baby (program security) as well.

Thanks for the great article.


Collapse -

In regards to Microsoft

by HAL 9000 Moderator In reply to You are corect sir!

They are making an attempt by sending out a 477 page book & CD called Writing Secure Code by Michael Howard & David LeBlanc with every copy of their RC2 release of Windows 2003.

Now all we have to do is get the time to actually read it.

Collapse -

Theory does matter !!!

by Wafke In reply to Microsoft funds universit ...

I don't agree with this line of thinking of people who state that only experience can teach someone what is good coding/design practice and what isn't. Good coding practices (e.g. structured programming - I'm talking of the old days) have always arisen from theoretical breakthroughs. Things like finite-state machines and the likes. Unfortunately, I missed the opportunity to study these things more thoroughly, so my knowledge on the theoretical/mathematical backgrounds behind IT is far less than what I'd want it to be, but I'm convinced that whatever little knowledge I do have, helps me to be a better IT-designer than those who don't have no theoretical background at all.
Of course, experience does help you see the links between theory and practice, and in that fashion experienced designers can indeed have a "competitive advantage" over unexperienced ones, but this is just a "possibility" and not a certitude. Far too many experienced developers never reach that point where theories get involved, and they're the kind of developers who keep on making the same mistakes over and over again in each new system they build, often even without being aware that something is "wrong" about their designs. And even more unfortunately, they ?re the majority ...

Collapse -

I think the point her is that

by HAL 9000 Moderator In reply to Theory does matter !!!

The theory is no longer being taught {you actually touched on this in your posting} so all the grads that are now coming out of our Univerisities, Colledges ect don't have the basic knolledge in the first place. Is it then any wonder that they make these basic mistakes in the first place and then go on making the same mistakes as they simply know no better.

The problem here is that the courses have been changed to such an extent that they no longer bear any resemblance to what is GOOD CODING PRATICE rather what can be done without thinking about security.

Until the basic course are changed and our students learn the right way to write code this problem will continue unabated.

Collapse -

Technique is NOT art

by ultra_blue In reply to Microsoft funds universit ...

Although I don't like being an apologist for Microsoft, it's unfair to single them out for having bad code. Microsoft does release bad code, but there's quite a bit of bad code running around on U*X systems as well (sendmail, anybody?), as well as Macintosh (QuickTime and Real). It's unfortunate that Redmond seems to think commerce first, and security as an afterthought, but they're not the only ones that don't put security issues first.

As for teaching the "art" of programming, I have to disagree with most of you: good technique can and should be taught to vocational programmers. This is exactly the same as learning how to paint, throw clay, work with metal, etc.: An artist has to learn how to manipulate the materials at his or her disposal. What are this medium's strengths and weaknesses? How does it behave under various conditions? Is it the correct choice for the project? Anybody working in any medium must know these things and more in order to use that medium to it's maximum potential. These skills are quite teachable. Once they are mastered in the classroom or through apprenticeship, the artistic mind is free to find new ways of expressing itself creatively.

This creative freedom is the "art" of programming, and of practically any other form of imaginative, creative expression: finding new, hopefully elegant and useful, ways of utilizing the tools and mediums at hand.

It's a mistake to confuse mastery of arcane, deep knowledge with artistic expression. To theuninitiated (untrained) observer, it may appear to be magical and alchemical. However, to the practitioner, it's a combination of skill, knowledge and intuition, earned through study and experience. Nothing less, nothing more.

Related Discussions

Related Forums