Is It Ever Too Early To Teach Security?

About 25 years ago, back in the mini-computer era, I was a developer in an operating system group. My team was working on a brand new print and batch spooling system. We were creating a system with a lot more power and flexibility than the previous system. Plus we were working with an operating system that was making changes to the security/privilege model. Very early on in the design process we started talking about system security. Because things were getting more complex we wanted to make sure that we didn't open new security holes. And of course plugging any existing ones was a thought as well.

Security was part of the plan from the beginning. We convinced the core OS team to add some features just for us to make sure that communication was more reliable and to make it less easy to fake credentials. That benefited others as well of course and I think ultimately made the whole OS more secure. But the main point is that we designed security in from the start. It wasn't something that we retrofitted or added on later as part of a separate security initiative.

I've been out of the OS development business for a long time now but security of applications is something that is still near and dear to my heart. It's hard to teach in early computer science classes though because the projects are, for the most part, small, simple and artificial. But I still think that it is something that should be talked about and hopefully thought about.

Along those lines I came across some useful and free information about Microsoft's Security Development Lifecycle. Michael Howard, Principal Security Program Manager, has written a short article titled "Building Security into Windows Vista and the Microsoft Culture" that talks about the cultural change that had to be made at Microsoft and that has to be made at many places to really get security right.

Related to this is a new document called "Security Development Lifecycle Guidance" that is available as a free download (registration is optional but recommended if you're really interested in this topic.) I think the introduction would be a reasonable read and kick off for discussion with a class of students. If you are in the target audience for the book (policy makers and software development organizations) by all means you'll want to read it all.

Comments (5)

  1. Gerard says:

    it is not just software design security, students also need to know how to protect themselves from internet security problems. I use a resource called hacker high school to help teach security concepts.

  2. Mike A Portagee says:

    It would be a lot easier to see your point if the tools at your disposal hadn’t let,

    "Along those lines I can across some useful and free information about Microsoft’s Security Development Lifecycle."

    slip through.

    Isn’t this how the "many eyeballs" proofreading approach works?

  3. It’s never too early to talk to children (or adults) about Computer Security. The problem is always about “when” to have the conversation.

    Beginning a conversation “out of the blue” – will simply be seen as lecturing.

    You need to either carefully craft the topic into the conversation – or like many topics, wait until you’re asked.

    Blake Handler

    Microsoft MVP

    "The Road to Know Where"

  4. Gerard says:

    Found a wonderful website that you might be interested in, netsafe netbasics. They are a New Zealand group that has been setup to help schools and business protect themselves from online threats. Their main website is

    However one of the projects that they have been working on lately relates to security.

    netsafe netbasics

    A new and engaging campaign advising New Zealanders on how to keep their PC and information secure will be launched on April 9. The NetBasics website advises home computer owners on how to protect their computers [Note that many of these computers are also used to manage small businesses and community organizations. ] and the data they hold.

    “On its own, computer security is a pretty dry subject. We needed a delivery vehicle that effectively explained the concepts and was also entertaining enough to keep the audience engaged,” says Cocker. “Animation allowed us to get creative and bring new life to this subject matter. I’m sure people will enjoy the animated episodes that introduce each security concept.”

    have fun looking around.


    New Zealand

Skip to main content