Hacker News new | past | comments | ask | show | jobs | submit login

It's a single course. I think no one, not even the author, expect a single course to cover enough ground to ensure that students can write secure applications moving forward. For instance, the author has a "formal verification" category on their blog: http://www.pl-enthusiast.net/category/formal-verification/

But they do think (like Daniel Bernstein and Edsger Dijkstra), that the usual "pentest & patch" does not work. http://www.pl-enthusiast.net/2015/09/30/penetrate-and-patch-...




And I'm critiquing the premises of the single course. What's your point?

I've talked to more than one university professor in the last 2 years about what a first and second course in software security should look like, and if there's a theme to my feedback, it's "not like this; this is what people thought it might look like in 1998".


You appear to critique the premise that most security comes from using the right programming language and observing a few patterns, like validating all inputs.

I was saying this is most probably not the premise of the course. That just like you, they don't believe they're teaching a panacea, just something that will help.

That assessment could be wrong, though. Unlike you, I never discussed security with university professors, and I know nothing of their misconceptions. Could you offer a gist of what they teach, and most importantly what they should be teaching instead?


And indeed, most security doesn't come from using the "right" language, nor is "validate all inputs" especially helpful advice (in fact, it's distinctively unhelpful, and is at times actively misleading). You can certainly use the wrong language, and that will harm your security, but for the most part almost nobody writes C anymore.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: