Saturday, June 20, 2015

The Tragedy of the Bloomberg Code Issue

Last week I Tweeted about the Bloomberg "code" issue. I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post.

I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise.

This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security.

Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results:

Security research specialists love to party.

I have been asked if I was physical security (despite security wearing very distinctive uniforms),” wrote Erica Joy Baker on who has worked, among other places, at Google.

Can we not rathole on Mailinator before we talk overall security?

We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division. 

Ditto many of the security concerns that arise when building websites, the typical abuses people perpetrate.

“First, I needed to pass everything through the security team, which was five months of review,” TMitTB says, “and then it took me weeks to get a working development environment, so I had my developers sneaking out to Starbucks to check in their code. …”

In Fortran, and I ask to see your security clearance.

If you're counting, that's eight instances of "security" in seven sentences. There's no mention of "software security." There's a small discussion about "e-mail validation," but it's printed to show how broken software development meetings can be.

Searching for "hack" yields two references to "Hacker News" and this sentence talking about the perils of the PHP programming language:

Everything was always broken, and people were always hacking into my sites.

There is one result for "breach," but it has nothing to do with security incidents. The only time the word "incident" appears is in a sentence talking about programming conference attendees behaving badly.

In brief, a 112 page magazine devoted to the importance of software has absolutely nothing useful to say about software security. Arguably, it says absolutely nothing on software security.

When someone communicates, what he or she doesn't say can be as important as what he or she does say.

In the case of this magazine, it's clear that software security is not on the minds of the professional programmer who wrote the issue. It's also not a concern of the editor or any of the team that contributed to it.

From what I have seen, that neglect is not unique to Bloomberg.

That is the tragedy of the Bloomberg code issue, and it remains a contributing factor to the decades of breaches we have been suffering.


A Bochman said...

In a sense, a long and largely well done article on software in 2015 or any time previous that ignores software / application security is an excellent primer on the state of security psychology. For all the recent and past several years' headlines on breaches, losses, firings, grillings on the hill, calls to "wake up", looming cyber pearl harbors, and increasing calls for resilience cause you know you're breached or are going to be soon, the one thing that proves most resilient is industry's resolve to treat security as an afterthought, as a nuisance, as something to be joked about and wherever possible, circumvented. You've probably said this before, but from where I sit, this challenge is so much about humans, and so little about tech, even though most focus almost solely on the latter. As the recent catastrophic OPM breach reveals, all the technical cybersecurity defenses in the world won't save you if you give max authorization to personnel you've barely screened. Appreciate your post.

Anonymous said...

I agree with A Bochman.

None of this is surprising - coders (like most people and myself) are lazy, and work harder (like most people) at doing less rather doing more. Even basic security requires work and effort, and better security requires consistency and continuos effort. The C-Suite is scared because they know the really can lose their jobs (e.g. Target) but haven't figured out that just like exercising and eating well - you have to do it everyday single day or it doesn't work.

Anonymous said...

This article is really depressing.

There is no responsibility, not interest, no incentive to produce software which cannot be hacked by 14-year olds.

There is also no point in "being the odd man out" - your secure product will be dragged down into the abyss by all the bad software around it on the same network. A shiny beacon drowned by a sea of mud and failed apps.

Maybe the reason some intelligence services still use zero-days instead of jumping on the custom PHP software with the MS access backend from 1995 "proudly made by an unpaid intern" is because they want security researchers and incident responders appreciate their skill and declare it being "art".

Jim Lippard said...

"None of this is surprising - coders (like most people and myself) are lazy, and work harder (like most people) at doing less rather doing more."

That's an argument for Marc Stiegler's strategy in his Google Tech Talk from March 2010, "The Lazy Programmer's Guide to Secure Computing."

Paul said...

Even requirement docs are shorter than that document.

Anonymous said...

No offence, but as an article clearly designed to help managers understand how software developers think, I really believe it did a nice job. It obviously wasn't designed to please the literati and intelligentsia that you guys represent ;)

As a layman whose lifelong knowledge of coding is Basic, Logo, Lingo and Max, I actually found it very informative and helpful to finally understand the difference between Python and JavaScript and PHP and Ruby, and find out what SQL and node.js mean. I'm beyond fine that it didn't go into detail regarding security, wireless protocols, data gluts and other such messiness. That's why we hire security experts, telecom engineers, data scientists et al. ;)

Best regards and have fun deconstructing the world for us ignorants :)

Richard Bejtlich said...

Anonymous, you said "an article clearly designed to help managers understand how software developers think...That's why we hire security experts"

That's exactly my point. If this magazine reflects "how software developers think," especially the idea that you "hire security experts" to handle security, that explains why we have such a problem in software security today.