C. Warren Axelrod

Coding? OK … But Security? Ha!

Bloomberg Businessweek did something amazing. It devoted an entire double issue (June 5-28, 2015) to computer programming. Paul Ford’s 38,000-word essay “The Code Issue” describes the origins and history of computer programming and programming languages with the intention of educating those among us who never learned to write code and entertaining those of us who did. At the end of the 112-page booklet, he asks the question “Should you learn to code?” and gives a variety of reasons to do so.

I ploughed through the article and found it quite informative. As someone whose first language was FORTRAN and who enjoyed programming in APL, I found it interesting to read Ford’s views and experiences. However, as an InfoSec professional, I was hugely disappointed at the lost opportunity to inform his presumably-large audience of the importance of secure coding and of the many vulnerabilities that are typically embedded in computer programs. In fact, there are only a couple of references to information security in the entire piece. One is about passwords, where he writes:

“We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division.”

Not my problem. Sounds like a cop-out to me.

The other mention of security is in regard to delays that a software project might experience:

“First, I needed to pass everything through the security team, which was five months of review …”

Right. Security is always the fall-guy when developers are looking for excuses as to why they are late with their projects. If they had built security in from the start there would have been minimal impact on the project’s timeline. Bolting security on once the programs are completed is always more expensive, less effective, and can cause inordinate delays.

Ford also waxes poetic about open-source software, but never mentions the Heartbleed and Shellshock fiascos … see my November 3, 2014 BlogInfoSec column “Heartbled and Shellshocked … What Can We Do?”

While the coding issue of Bloomberg Businessweek makes a heroic effort to bring knowledge of programming to the populace, it does everyone a disservice by not addressing information security and misses a wonderful opportunity for teaching the public of the importance of secure coding and security testing. As long as programmers’ prevalent view is that information security is someone else’s problem and that security reviews hamper project progress, we are not going to see very many applications that are secure, and cyber attacks will continue to be successful at an ever-increasing rate.

Oh, by the way, there is no need to spend $5.99 on a newsstand copy of the magazine, as I did. The complete issue is available free at http://www.bloomberg.com/graphics/2015-paul-ford-what-is-code/ in a more entertaining interactive version.

Post a Comment

Your email is never published nor shared. Required fields are marked *