Lazy Developers are the #1 Security issue
Open-source used to be the best you could do security wise. Someone, or a small team would start a project about a true unmet need, open-source it on the internet, a community would grow around it. That community would be thousands of people strong, working tirelessly 24/7 to make the project better, while the original team would usually serve as "benevolent dictators".
This means that every line of code is in the open and audited by several dedicated programmers before it is officially released. This is an extraordinary efficient model for development and security, that made open-source software the foundation of the internet and much more. This model gave us Apache, GNU/Linux, Git, ffmpeg, pyTorch, MySQL, ... just to name a few. Without it, there is no modern computer science, there is no modern internet, no modern operating systems, no modern AI.
Of course, it is not a bullet proof system, bad actors still try to exploit bugs and integrate backdoors into open-source software. However, these are identified by the community and promptly corrected at a pace that proprietary software can never match. Hardened security through radical openness. This system worked because it is maintained by passionate people with very high technical knowledge and abilities. These projects are all coded in low-level programming languages (means harder), not high-level scripting languages.
Fast-forward to today, a world dominated by nodesjs and scripting languages in general. Scripting languages like Python and Javascript have allowed many more people to integrate the folds of the "Developers". These languages are orders of magnitude easier to learn, do not require compilation, and due to many technological advancements, are now fast enough to be used in serious applications.
However their massive adoption also had the unintended consequence of lowering security standards in open-source and therefore everywhere. Nodesjs is now for many the preferred way of building "full-stack" applications. One single language for both the backend and the frontend is a very enticing premise. However Javascript, was never meant to be a secure language and more importantly the scripting language came with a lazyness culture. Gone are the days where programmers would fight off to show their skills and understanding of the machine, to see would come up with the most efficient, the most elegant and the most secure code. Now there is often expediency and lack of skill disguised as "efficiency". Why reinvent the wheel, when you can just import a free package (under MIT license) made by someone you don't know. That seemingly wise advise has now created a security nightmare of package dependencies that are impossible to audit.
There are now millions of open-source nodesjs packages. Most of these packages, are not, or very poorly maintained, they don't have sizeable communities supporting them. For most of them their makers have either moved on, or don't have the technical abilities to assess wether some piece of code could produce an exploit that some bad actors could use. These millions of packages all prime targets for bad actors looking for ways to insert backdoors into software used by millions. If an application requires 600MB of dependencies, it is not secure. That number should make any security aware person shudder.
Of course you can sandbox applications, but that is not enough.
Write your own code. Use as little dependencies as you can.
Partager:
Lazy Developers are the #1 Security issue
copier:
https://bluwr.com/p/433501356
Lazy Developers are the #1 Security issue
Open-source used to be the best you could do security wise. Someone, or a small team would start a project about a true unmet need, open-source it on the internet, a community would grow around it. That community would be thousands of people strong, working tirelessly 24/7 to make the project better, while the original team would usually serve as "benevolent dictators".
This means that every line of code is in the open and audited by several dedicated programmers before it is officially released. This is an extraordinary efficient model for development and security, that made open-source software the foundation of the internet and much more. This model gave us Apache, GNU/Linux, Git, ffmpeg, pyTorch, MySQL, ... just to name a few. Without it, there is no modern computer science, there is no modern internet, no modern operating systems, no modern AI.
Of course, it is not a bullet proof system, bad actors still try to exploit bugs and integrate backdoors into open-source software. However, these are identified by the community and promptly corrected at a pace that proprietary software can never match. Hardened security through radical openness. This system worked because it is maintained by passionate people with very high technical knowledge and abilities. These projects are all coded in low-level programming languages (means harder), not high-level scripting languages.
Fast-forward to today, a world dominated by nodesjs and scripting languages in general. Scripting languages like Python and Javascript have allowed many more people to integrate the folds of the "Developers". These langauges are orders of magnitude easier to learn, do not require compilation, and due to many technological advancements, are now fast enough to be used in serious applications.
However their massive adoption also had the unintended consequence of lowering security standards in open-source and therefore everywhere. Nodesjs is now for many the preferred way of building "full-stack" applications. One single language for both the backend and the frontend is a very enticing premise. However Javascript, was never meant to be a secure language and more importantly the scripting language came with a lazyness culture. Gone are the days where programmers would fight off to show their skills and understanding of the machine, to see would come up with the most efficient, the most elegant and the most secure code. Now there is often expediency and lack of skill disguised as "efficiency". Why reinvent the wheel, when you can just import a free package (under MIT license) made by someone you don't know. That seemingly wise advise has now created a security nightmare of package dependencies that are impossible to audit.
There are now millions of open-source nodesjs packages. Most of these packages, are not, or very poorly maintained, they don't have sizeable communities supporting them. For most of them their makers have either moved on, or don't have the technical abilities to assess wether some piece of code could produce an exploit that some bad actors could use. These millions of packages all prime targets for bad actors looking for ways to insert backdoors into software used by millions. If an application requires 600MB of dependencies, it is not secure. That number should make any security aware person shudder.
Of course you can sandbox applications, but that is not enough.
Write your own code. Use as little dependencies as you can.
Partager:
Lazy Developers are the #1 Security issue
copier:
https://bluwr.com/p/433501352
