Hack the Textbook: Introducing The Textbook Security Project
Why do we have so many software security problems? Clearly, a large proportion are caused by poorly written code. Why is our code so badly written? There are many reasons, not the least of which is that writing secure code can be a difficult task. However, the problem is compounded by most programmers having been taught insecure coding practices.
The majority of the most popular and widely used college textbooks for programming never cover any security concepts. Worse, they actually teach practices that result in insecure code. For some time now, companies trying to produce secure software have been complaining that college courses and course materials fail to prepare students to write secure code, and they are tired of having to retrain recent graduates in secure programming practices.
The insecure code problem is compounded by the fact that many of the professors and instructors who teach programming are not security experts. Even if they could identify and correct the "security bugs" in textbooks, it is difficult for them to teach what is not in the textbooks or to try to teach differently from the textbooks.
Attempts by some in the academic community to get authors and publishers to include security content in textbooks has actually been met with resistance. Many in academia believe that if there were a true need for secure software development to be taught, it would be a "self-correcting problem that would be addressed by textbook authors."
The objective of The Textbook Security Project is to publicly expose the security flaws in popular textbooks, and to encourage authors to revise their books to use secure software development practices. The immediate goal of the project is to provide lists of textbooks to be critiqued and to allow security professionals to post reviews exposing a textbook's security flaws. The project also plans to provide resources to help authors identify and correct problems in their books, and to help new authors get security right the first time. The long term goal of the project is to change security from being a subject that is taught as a senior level course, to security becoming an integral part of the entire computer science curriculum.