An issue that I have been wondering a lot about lately is whether or not people currently studying to be programmers and people who have to use the programs they write are being done a huge disservice by those that are responsible for training them. It seems that many colleges and vocational schools that teach computer programming focus heavily on teaching students to write code that is operational but not necessarily robust. By that I mean that the resultant code will work in the sense that it will properly execute the algorithm of interest, perhaps even in an efficient way, but little to no attention will often be put into other real world essentials like error handling, input validation, sanitizing inputs, proper session handling, etc. Producing code that achieves the desired function is important, but it is not the only thing that is important for the creation of a quality product. It really leaves me to wonder if security problems would be as widespread as they are now, if developers were taught to deal with such issues as they learned to program. While many schools are now offering classes on secure application development, these classes are usually an elective and not a standardized part of the curriculum and, as such, the techniques taught may be viewed by many students as “add ons” and not essentials.
In many cases, the importance and utility of such techniques could be emphasized without the need for more than a basic understanding of a programming language. For example, if an application required a number between 1 and 10 as input, basic forms of input validation could be illustrated with the addition of an if statement and basic error handling with an else statement. Sure these are rudimentary ways of doing things, but the point is that it instills in the would be programmers the need for such techniques from the start of their education. Approaching these topics from early on, I believe, would contribute to greater awareness of such issues and better habits towards dealing with such issues. Of course as the knowledge of the students grows so too could the sophistication of the techniques. I think it is essential for all programmers to understand that a functional routine is an important milestone, but for any code that will be put into a production environment, proper functionality when provided proper inputs is not enough.