Teaching The Writing of Secure Code

One of the great problems of teaching computer science is that there is a limited amount of time to teach and an unlimited amount of things that can be taught. There is very little degree of agreement of what must be taught. Teachers do the best they can but there is a good amount of variation on what gets taught. One thing that seems to always (or close to always) get left out is writing safe and secure code.

Few teacher give more than a cursory mention of error handling for example. The try/catch keywords get a little use but not much. For the most part, when a student program goes wrong it just crashes. Student programs tend to depend on the user entering information in the way the program is set up to receive it. This works, more or less, in the context of student projects because the projects are generally designed to test or use specific concepts other than error handling.

Outside of school, validating data as it is input is pretty important. There is a classic XKCD comic that highlights this idea. Bonus as it includes a school context. This is one way to at least talk about the concept even if there isn’t a lot of time and ability to reenforce it with a project. Though, string manipulation projects are sometimes a good way to talk about writing code to force specific forms of data formatting.

 

Back in the day, learning C (before C# or even C++) we talked a lot about memory management and things like overflowing strings and buffers. Ignoring those things was a major cause of security breaches. That’s probably true today as well.  Modern languages with string objects, garbage collection, and other forms of memory management reduce some of the risk but students will benefit with some discussion of the topics. 

Another topic that merits some discussion is validating where inputs come from. Data from a user input is obvious, usually.  Data from files a bit less obvious. Data from other code is the least obvious and potentially the highest risk.

Many years ago I was part of an operating system development group and we were adding many layers of security. Great stuff but we thought a great deal about making sure the right security information was passed along. Code deep in the OS was responsible for sharing security information with user level code. We worked hard to make sure that only trusted information was allowed to reach different levels of code. We also worked hard to make sure that only reliable information went down to lower levels.  That users can’t always be trusted is an important lesson at any level.

Secure code is a complicated issue of course. I have a great book called “Writing Secure Code” and it is almost 800 pages long. Not realistic for a high school CS class of course. I do think we can and should spend some time on the topic though. Ideally in the context of various other topics during a course. A few stories, or even cartoons, may help make the topic more memorable.

High School Cybersecurity Course–What Belongs

The last few years have seen a huge expansion in the number and types of cyber security courses in high schools. Much of this has been driven by a growth in the realization that we, society, governments, businesses, need more help making our systems secure from bad actors. CS ed as career development. Great in career technical schools of course. Yet another CS elective in comprehensive schools as well. Pretty easy to sell to school boards and administrations.

The CollegBoard has jumped on the bandwagon with AP Career Kickstart Cybersecurity Pilots.  I did take a look through that program. To me, the first course looks a lot like a standard IT/Networking course. I guess that makes sense as a prerequisite. After all,step one of a secure network is setting up a network.

The second course looks a lot more like what I think about as cybersecurity. Could be a good course. I hope that some of the pilot teachers will share what they learn while teaching it.

I don’t know that all courses calling themselves cybersecurity are that deep though. From what I have seen, some courses that call themselves cybersecurity are mostly about staying safe on the internet. That’s not a bad thing as long as proper expectations are set.

One related topic I have been thinking about is writing secure code. Is there room for that in high school? On the other hand, are we doing students a disservice by not talking about it at all? That’s the area of cybersecurity I hope to spend some more time thinking about. I’m more of a coder than a network guy.

Should K-12 CS Education Be About Belonging in CS

I’ve been rather wrapped up in moving the last few weeks so haven’t been thinking about high school, or K-12, computer science education as I intended since my last blog post. Mark Gurdial thought has been doing some thinking. Check out School teachers don’t need to recruit students into CS: An alternative model for K-12 computing education for his latest post.

Mark has also been looking at the effort to rewrite the CSTA standards which I have been ignoring. Perhaps I should be paying more attention. Anyway, Mark argues that “Sense of Belonging in CS” should not be in the list of goals. When I read that line in Mark’s post I wondered what “sense of belonging in CS” actually means. Does it mean that students should see themselves as future computer scientists or software professionals or CS majors in university? All of that seems like over much to ask.

I’ve said for a long time that we don’t teach physics in high school to turn out more physicists (And similar analogies) Do we expect students to feel like they belong in physics? I don’t think so. We do want students to understand something about how physics impacts the world around them. And if they develop an interest in studying more physics that is great but its not a goal.

We do want students to exit high school knowing something about computer science. We want them to see how it impacts the world around them. I think we also want them comfortable with the idea that they cab do something with computers and computing. Helping them to see how computing relates to what their major interests are is great. Belonging in CS? Maybe a bridge to far.

Visit Mike Zamansky’s take here https://cestlaz.zamansky.net/posts/cs-for-all-or-all-for-cs/

Rethinking High School Computer Science

I love programming. I took a computer science course as an undergraduate and really fell in love with programming.While I made my living writing code for many years, my wife once wondered if I would have been happier with coding as an avocation rather than a vocation. That’s a bias I have no doubt taken in my teaching career. But is it the right bias for developing high school CS curriculum? I’m starting to wonder about that.

I’ve said in a number of ways that we don’t teach high school physics because we need for physicists. We teach HS physics to help students understand the world they live in. The same needs to be true for high school computer science.

A recent blog post by Mark Guzdial brought that into focus. (CS doesn’t have a monopoly on computing education: Programming is for everyone) The key line in that post was this: Computing education for non-CS majors is different than what we teach CS majors.

Now we talk a lot about computer science for all and that teaching high school computer science should not be about vocational training or just preparing students to be CS majors. But is that how we are developing our curriculum and our ideas about what students should be taught?

Note: The rest of this post is based on a comment I left on Mark’s blog post BTW.

Often we're lucky to have any CS courses even with improvements in recent years. SO having a variety of courses for different types of students seems impractical. High schools don't have the resources that universities do. Actually, small colleges and universities don't have the resources that schools like Michigan does!

But circling back to high schools which is my focus, what should we be teaching? For the most part, high school CS is largely still preparation for CS majors in university or for vocational preparation. The growth in cybersecurity courses in indicative of the vocational focus, for example.

Some schools do have the ability to offer multiple courses. It takes a larger CS program to do that though. The high school I retired from did adopt a course teaching Python largely at the request of the Physics department, for example. R is a big language in many university majors but we don’t see much R in high schools. Should we? I am not sure. Many schools will be limited to one or two courses that have to prepare everyone in any case.

Advanced Placement Computer Science Principles is probably the closest course available for computing education for meeting multiple computing paths. It's still controversial in HS CS with its perception in some circles as a watered-down CS course. It may just be the course we should be paying the most attention to though.

Writing requirements for HS CS is going to remain difficult though. Getting people to give up or even depreciate loops is going to be impossible. (Reading the Guzdial post makes that last line more understandable. Not all programming requires loops.)

Ultimately, high school computer science is all over the map from schools that offer little to none with few taking CS to schools offering multiple options and requiring all students to take some. Universities cannot expect students to have even a base level of CS. Some students are going to have huge advantages. And that makes me sad.