Friday, March 22, 2019

"False positives" in Internet security scans reminds me of an old "professionalism" issue in mainframe COBOL programming

I gave this link on my “Internet Safety” blog on June 25, 2018 but I thought I would mention again here with respect to a problem that SiteLock sometimes finds in monthly “application scans” of wordpress sites. That is the “1=1” tautology problem.

The English composition (or technical writing – that’s a job description itself) in the piece is a little hard to follow (with typos) but it seems to imply that the application element is there for self-debugging, rather like a DISPLAY statement in a batch COBOL program in the old mainframe world.

The practice of allowing DISPLAY statements was viewed as unprofessional and reviewing that the programmer doesn’t have 100% confidence in what she is moving to production. With in-house written applications, which many shops had developed and maintained well into the 90s (and had to put through Y2K) you could get away with it.  And “in-house” often meant a consulting company that was running a data center for an entire government agency (like New York State MMIS in my own background -- the lower Manhattan HQ for Bradford's processing center in the late 1970s is shown above).

Starting in the late 80s, it became more common for large shops to use purchased application systems.  Vantage for the life insurance and annuity industry is one of the largest and best known. (I barely missed out on getting Vantage experience, and that is a narrative of its own – if I had, the last twenty years might have been very different than they were  -- “Vantage rules the world”).

When you work as an application programmer for a system that will in turn be sold or licensed to other companies to use for their own large-scale application (banking, insurance, securities, etc) you have to follow very strict coding standards, for consistency and professionalism.  You can’t allow “false positives”.

In the culture of Internet security, though, “false positives” are taken as inevitable and necessary.

No comments: