A thought experiment in whether reducing runtime dependencies can improve security and how to do it.
Hosted by Beeza on 2019-07-24 is flagged as Clean and is released under a CC-BY-SA license.
Tags: Application development, Application architecture, Security.
Listen in ogg,
mp3 format. | Comments (1)
Before the days of the PC, application architectures were often very simple - being little more than the executable itself and any input files. The constraints of the early PC’s very limited resources required new architectures to make the most of those resources.
We now have a situation where most applications either install, or require the presence of, multiple runtime dependencies. Each dependency has an interface which allows communication between itself and the application, but every interface presents an attack surface with the potential to be exploited by a malicious 3rd party.
Modern computers do not have those same resource constraints yet we are still developing applications using the principles that applied 3 decades ago.
Re-usable functionality can be internalised through static linking at compile-time or by code inclusion (along the lines of a .h file in C/C++)
To change from using tried and tested methods is never convenient, but with concern for cyber security high and rising, has the time come to exchange convenience for simpler application architectures that should reduce vulnerabilities?
…And may a move to new (or is it old) architectures deliver a big win for open source software?
Comment #1 posted on 2019-08-13T23:13:49Z by clacke
Dynamic vs static linking doesn't matter
Thank you for your thoughts! I started listening thinking I would agree, but I didn't.
Vulnerabilities do not generally come in through technical details like what style of linking is used. Your attack surface remains the same. Vendoring the code doesn't help either, that's just a distribution and versioning issue.
The only real way to reduce dependencies is to reduce them; Write the code ourselves, or make sure we fully understand our dependencies.
Here's an article that goes further into this: https://medium.com/@kori/systems-easily-understandable-by-one-person-f92e8613e2e
<< First, < Previous, Next >, Latest >>
Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.
Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).