The Tragedy of the Bloomberg Code Issue

Last week I Tweeted about the Bloomberg “code” issue. I said I didn’t know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that’s been covered by news outlets like the Huffington Post.

I approached the document with an open mind. When I opened my mail box last week, I didn’t expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise.

This morning I decided to try to read some of the issue. (It’s been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security.

Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word “security.” These are the results:

Security research specialists love to party.

I have been asked if I was physical security (despite security wearing very distinctive uniforms),” wrote Erica Joy Baker on Medium.com who has worked, among other places, at Google.

Can we not rathole on Mailinator before we talk overall security?

We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division. 

Ditto many of the security concerns that arise when building websites, the typical abuses people perpetrate.

“First, I needed to pass everything through the security team, which was five months of review,” TMitTB says, “and then it took me weeks to get a working development environment, so I had my developers sneaking out to Starbucks to check in their code. …”

In Fortran, and I ask to see your security clearance.

If you’re counting, that’s eight instances of “security” in seven sentences. There’s no mention of “software security.” There’s a small discussion about “e-mail validation,” but it’s printed to show how broken software development meetings can be.

Searching for “hack” yields two references to “Hacker News” and this sentence talking about the perils of the PHP programming language:

Everything was always broken, and people were always hacking into my sites.

There is one result for “breach,” but it has nothing to do with security incidents. The only time the word “incident” appears is in a sentence talking about programming conference attendees behaving badly.

In brief, a 112 page magazine devoted to the importance of software has absolutely nothing useful to say about software security. Arguably, it says absolutely nothing on software security.

When someone communicates, what he or she doesn’t say can be as important as what he or she does say.

In the case of this magazine, it’s clear that software security is not on the minds of the professional programmer who wrote the issue. It’s also not a concern of the editor or any of the team that contributed to it.

From what I have seen, that neglect is not unique to Bloomberg.

That is the tragedy of the Bloomberg code issue, and it remains a contributing factor to the decades of breaches we have been suffering.