Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days.
The show’s host, Kai Ryssdal, set the stage by listing big companies that have been hacked, dropping the word ‘cyber’—I cringed. Would this be another FUD piece? Cyber, cyber, cyber. Within this frame, the story took a dramatic turn:
“’It’s weird,’ Estrella said, ‘Only one tiny little mistake and then it affects everything.’”
The story goes on to explain that in this after school program, in concert with The University of San Jose, students are learning to code and to fix errors along the way.
Excellent. Security presented as an emergent property of applications. Security being taught as part of teaching kids to program. A focus on fixing the danged software. But, it’s the way the story ended that stopped me in my tracks (I was cooking dinner at the time). I actually froze.
“‘To have good security you need to get rid of bugs in your code’, he said. ‘Oh, and to make strong passwords. Otherwise’, he pointed out, ‘you could get hacked.'”
Remember, this was one of the students speaking. I couldn’t have asked for a better quote if I’d been interviewed for the piece. I listen to Marketplace religiously; its coverage is good. While its contributing reporters have reached out to me to understand issues, their stories are for the layperson; they don’t trade in esoterica.
That’s why this story represents a sea change. A story about teaching people to code is welcome change from the exploit and [make a] splash reporting with which we’re inundated. A recognition that we must secure what we build, fix the code, and teach people to build security in will allow us to move beyond the reactive penetration-and-patch mentality on which the cyber security industry, for the most part, remains fixated.
John Steven is a former senior director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. After joining Synopsys as a security researcher in 1998, John provided strategic direction and built security groups for many multinational corporations, including Coke, EMC, Qualcomm, Marriott, and FINRA. His keen interest in automation contributed to keeping Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.