Packages and Modern Security
Security in web applications is getting really, really weird.
We’re seeing security breaches in major companies on a constant basis nowadays. Our personal information is getting leaked, all around the world, all the time.
From my personal experience - I also feel that web applications are, paradoxically, the most secure they’ve ever been.
The Before Times
Before I started programming, I audited the security of web applications for bug bounties.
At that point it seemed like pretty much everyone had their own, custom-written, PHP-driven CMS. They were solving security with hacked-together regular expressions that removed unwanted text from inputs (if they thought at all about security).
SQL Injection and XSS vulnerabilities were easily found many websites and a lot of people were just learning about the importance of hashing passwords.
The Rise of the Frameworks
Wordpress came along and started changing everything.
Suddenly, website owners had a default level of security. They didn’t need to know as much about SQL Injection or XSS or CSRF or null-byte injection or any of the other various ways web applications could be attacked.
Use the framework, follow the documentation, and everything would be fine.
I use Wordpress as an example of a larger movement towards prepackaged, large, customizable web applications as a basis for a website. There were phpBB forums, wikis, re-skinned web games, turnkey Facebook/Youtube clones…. Many large CMS systems and frameworks became popular.
Then was the rise of the 0-day exploits on the web. They took advantage of the wide distribution of this prepackaged software and used these exploits to attack large numbers of applications, many databases and servers, that all had the same bug.
It seemed like an all-out digital war for a while. Major Wordpress exploits were being revealed every other day. Remote code execution and SQL injection exploits were everywhere and very well known. If you didn’t keep your CMS up-to-date, you had a bulls-eye on your back.
The Turning Point
But then, slowly but surely, the frameworks started to win the war. Ongoing efforts of the major CMS and framework providers accrued and finally hit a turning point. Exploits came out slower and were often of less severity or were less widespread.
Frameworks continued to become the norm and helped to make the web more secure by default.
But, as the web became more complex, plugins to those frameworks became popular.
The Rise of the Packages
Giant frameworks were never designed to handle all the complex needs a webmaster could dream up. They were built as a foundation that could be customized by plugins or packages to create more complex or niche behavior.
The problem was that these packages were often thrown together and sold by a single person or small group of programmers.
We were back to same problem we had with custom-coded scripts.
Even today - not many programmers have security training and it’s not a mandatory part of many education systems. These plugins were just as insecure as the websites that preceded frameworks.
The Turning Point
This security issues with packages have been diminished considerably by the open-source movement.
A relatively small number of packages rose to popularity. These packages brought on more programmers and were consequently maintained by larger groups of people. Their source code was often open for anyone in the public to review and criticize.
Most importantly - when a large group of programmers get together and tackle a problem, with defined code review processes, with the eyes of the public watching every commit, their combined security experience often amounts to much more than any individual.
Packages became more secure because popular packages were relatively small in number and relatively well maintained by a large group of dedicated people.
The sheer amount of open-source projects on the internet today is astonishing.
If you have any problem, in any language, on any system - chances are there’s an open source package out there to help solve it. We are in a golden age of portable, re-usable, easy-to-distribute software.
It’s getting harder and harder to tell what packages are secure and which ones are just popular.
If someone builds a useful library it can become popular overnight, without the need for any security audit or any real review of how the written is created or by whom. We assume, through popularity, that someone else will have checked those things.
After an insecure package becomes popular, another package will build on top of it. Then that package will be assumed secure and another package will be built on top of it. This can just keep continuing upwards without limit as the security vulnerability becomes more and more abstracted away from the code it infects.
We live in a digital and business ecosystem where being first is more important than being the best. This compounds the security issues.
This provides a swiftness never before seen in programming and technology.
But, I have to wonder if our wax wings will melt and we’ll come plummeting back down to the earth. Will we be better for it?
The Turning Point?
I think we live in a very interesting time. A time where our information is simultaneously the most secure and least secure it’s ever been.
I’m excited to see what answers we cook up.