Software Integrity

 

A sea change in pop culture’s understanding of security

Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days.

The show’s host, Kai Ryssdal, set the stage by listing big companies that have been hacked, dropping the word ‘cyber’I cringed. Would this be another FUD piece? Cyber, cyber, cyber. Within this frame, the story took a dramatic turn:

“’It’s weird,’ Estrella said, ‘Only one tiny little mistake and then it affects everything.’”

The story goes on to explain that in this after school program, in concert with The University of San Jose, students are learning to code and to fix errors along the way.

Excellent. Security presented as an emergent property of applications. Security being taught as part of teaching kids to program. A focus on fixing the danged software. But, it’s the way the story ended that stopped me in my tracks (I was cooking dinner at the time). I actually froze.

“‘To have good security you need to get rid of bugs in your code’, he said. ‘Oh, and to make strong passwords. Otherwise’, he pointed out, ‘you could get hacked.'”

Remember, this was one of the students speaking. I couldn’t have asked for a better quote if I’d been interviewed for the piece. I listen to Marketplace religiously; its coverage is good. While its contributing reporters have reached out to me to understand issues, their stories are for the layperson; they don’t trade in esoterica.

That’s why this story represents a sea change. A story about teaching people to code is welcome change from the exploit and [make a] splash reporting with which we’re inundated. A recognition that we must secure what we build, fix the code, and teach people to build security in will allow us to move beyond the reactive penetration-and-patch mentality on which the cyber security industry, for the most part, remains fixated.