The Tragedy of the Bloomberg Code Issue

Last week I Tweeted about the Bloomberg "code" issue. I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post.

I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise.

This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security.

Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results:

Security research specialists love to party.

 I have been asked if I was physical security (despite security wearing very distinctive uniforms),” wrote Erica Joy Baker on Medium.com who has worked, among other places, at Google.

 Can we not rathole on Mailinator before we talk overall security?

 We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division. 

 Ditto many of the security concerns that arise when building websites, the typical abuses people perpetrate.

 “First, I needed to pass everything through the security team, which was five months of review,” TMitTB says, “and then it took me weeks to get a working development environment, so I had my developers sneaking out to Starbucks to check in their code. …”

 In Fortran, and I ask to see your security clearance.

If you're counting, that's eight instances of "security" in seven sentences. There's no mention of "software security." There's a small discussion about "e-mail validation," but it's printed to show how broken software development meetings can be.

Searching for "hack" yields two references to "Hacker News" and this sentence talking about the perils of the PHP programming language:

Everything was always broken, and people were always hacking into my sites.

There is one result for "breach," but it has nothing to do with security incidents. The only time the word "incident" appears is in a sentence talking about programming conference attendees behaving badly.

In brief, a 112 page magazine devoted to the importance of software has absolutely nothing useful to say about software security. Arguably, it says absolutely nothing on software security.

When someone communicates, what he or she doesn't say can be as important as what he or she does say.

In the case of this magazine, it's clear that software security is not on the minds of the professional programmer who wrote the issue. It's also not a concern of the editor or any of the team that contributed to it.

From what I have seen, that neglect is not unique to Bloomberg.

That is the tragedy of the Bloomberg code issue, and it remains a contributing factor to the decades of breaches we have been suffering.

Comments

A Bochman said…
In a sense, a long and largely well done article on software in 2015 or any time previous that ignores software / application security is an excellent primer on the state of security psychology. For all the recent and past several years' headlines on breaches, losses, firings, grillings on the hill, calls to "wake up", looming cyber pearl harbors, and increasing calls for resilience cause you know you're breached or are going to be soon, the one thing that proves most resilient is industry's resolve to treat security as an afterthought, as a nuisance, as something to be joked about and wherever possible, circumvented. You've probably said this before, but from where I sit, this challenge is so much about humans, and so little about tech, even though most focus almost solely on the latter. As the recent catastrophic OPM breach reveals, all the technical cybersecurity defenses in the world won't save you if you give max authorization to personnel you've barely screened. Appreciate your post.
9:36 AM
Anonymous said…
I agree with A Bochman.

None of this is surprising - coders (like most people and myself) are lazy, and work harder (like most people) at doing less rather doing more. Even basic security requires work and effort, and better security requires consistency and continuos effort. The C-Suite is scared because they know the really can lose their jobs (e.g. Target) but haven't figured out that just like exercising and eating well - you have to do it everyday single day or it doesn't work.
11:55 AM
Anonymous said…
This article is really depressing.

There is no responsibility, not interest, no incentive to produce software which cannot be hacked by 14-year olds.

There is also no point in "being the odd man out" - your secure product will be dragged down into the abyss by all the bad software around it on the same network. A shiny beacon drowned by a sea of mud and failed apps.

Maybe the reason some intelligence services still use zero-days instead of jumping on the custom PHP software with the MS access backend from 1995 "proudly made by an unpaid intern" is because they want security researchers and incident responders appreciate their skill and declare it being "art".
3:03 PM
Jim Lippard said…
"None of this is surprising - coders (like most people and myself) are lazy, and work harder (like most people) at doing less rather doing more."

That's an argument for Marc Stiegler's strategy in his Google Tech Talk from March 2010, "The Lazy Programmer's Guide to Secure Computing."
6:13 PM
Paul said…
Even requirement docs are shorter than that document.
12:52 PM
Anonymous said…
No offence, but as an article clearly designed to help managers understand how software developers think, I really believe it did a nice job. It obviously wasn't designed to please the literati and intelligentsia that you guys represent ;)

As a layman whose lifelong knowledge of coding is Basic, Logo, Lingo and Max, I actually found it very informative and helpful to finally understand the difference between Python and JavaScript and PHP and Ruby, and find out what SQL and node.js mean. I'm beyond fine that it didn't go into detail regarding security, wireless protocols, data gluts and other such messiness. That's why we hire security experts, telecom engineers, data scientists et al. ;)

Best regards and have fun deconstructing the world for us ignorants :)
1:36 PM
Richard Bejtlich said…
Anonymous, you said "an article clearly designed to help managers understand how software developers think...That's why we hire security experts"

That's exactly my point. If this magazine reflects "how software developers think," especially the idea that you "hire security experts" to handle security, that explains why we have such a problem in software security today.
7:10 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more