The Generalist Programmer

Security Matters

Pay me some bitcoin, or I will release your patient records to the public.

The big national news

This is one of the biggest news events in Finland right now. A big psychotherapy provider had a massive data breach, and now they and their patients are blackmailed. Reportedly, some records have already been published on the dark net.

The human cost is staggering: thousands of people have to live with the knowledge that their most private problems may be released to the public, and many can expect to get in real trouble over them. Those same thousands have to take action to prevent criminals from abusing their identity by setting up legal restrictions that will inconvenience themselves, not just criminals.

Based on current reports, which are questionable at best, the patient records existed some years ago on a publicly accessible database with the user name "root" and the password "root". If accurate, it reveals a staggering level of incompetence from the people responsible for operating the system; a truly unforgivable mistake.

We Programmers Are the First Line of Defense

In the modern practice of devops, we as programmers frequently have to operate the services that we write. Thus, we cannot smugly stand aside and say that it's not our problem. Frankly, we developers are more likely to mess operations up than ops specialists ever will; when you set up your database, do you know it well enough to confidently state (and be correct) that it will not have a default "root" user with the default "root" password?

We the programmers are the first line of defense in almost everything. We write the microservice that responds to a public endpoint and transforms it into an SQL statement.

We make sure there is no SQL injection vulnerability in that microservice.

We make sure we do not turn a part of the request into a regular expression that we feed to a run-of-the-mill regex engine. You did know that regex interpretation (as commonly implemented) is exponential in the worst case, right? It allows an attacker to deny your classical deployment's service and, in a serverless environment, deny your employer its wallet.

Unforgivable Mistakes

There are unforgivable mistakes that a programmer can make. That term was defined over a decade ago by Steve Christey Coley, a world leading expert in software vulnerabilities. In his telling, a mistake is unforgivable when a lot of people have made it before and it is obvious, well documented, easily exploited, and easily detected in a code review. Back then, he listed 13 of them.

The root/root username and password combination was number 12 on the list. In 2007.

Go read the paper right now, even if you have before. You do not want to make an unforgivable mistake.

Keep Learning

As as generalist programmers, we must always remember that there are cross-cutting concerns like security and privacy that remain there no matter what specialty we work in. We must also remember that in security we are fighting intelligent adversaries. They learn, and so must we.

Keep current.