KISS is back! (Keep IT Security Simple)



KISS is back! (Keeping IT Security Simple)

It’s not the 1970’s rock band KISS I’m referring to, but the old engineering adage Keep It Simple, Stupid. Now adapted to ‘Keep IT Security Simple’.

Simplicity in the user interface is an essential part of a user-friendly system. How does it look when you go under the hood – and how does complexity affect security?

You should not overcomplicate things; most systems work best when they are kept simple. This realisation has affected the design of user interface. Most user interface designers know that simplicity should be a key design goal. They do not always succeed, but they are aware of Kiss.

Good developers understand they can't do everything, and they know how to leverage tools as prosthetics for their brain

Javascript as an example

How does it look for developers? The people who are building the systems and often the user interface?

If you happen to follow Hacker News, you will probably have noticed that once in a while, the state of Javascript development is up for debate.[1]

This programming language, which Brendan Eich initially created 22 years ago, in just 10 days, has come a long way since it was called Mocha. You may like it or not, but today it’s one of the most widely used programming languages in the world; according to Redmonk the most used programming language.[2]

As we want to do more with Javascript, more frameworks are introduced. Popular frameworks such as JQuery, Bootstrap and Angular make things easier, but it also introduces complexity when it comes to updating and maintaining websites. A complexity that erodes security, as Lauinger et al. are showing in their paper “Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web”[3]:

“In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133K websites, we show that 37% of them include at least one library with a known vulnerability”

Libraries included several times

Another finding is that many websites are including the same libraries many times (sometimes different versions), which makes it difficult to predict which ones are used:

“Composition of content modules or third-party content in the same document can lead to duplicate inclusions of a library and potentially nondeterministic behaviour with respect to vulnerability”

This is not just website-developers’ fault, but a consequence of a complex web-ecosystem, where javascript-snippets are included for tracking, advertising and social media widgets:

“surprisingly often, libraries are not referenced directly in a page, but also inlined, or included transitively by other content such as advertising, tracking or social media widget code”

The authors are highlighting the need for a more thorough and systematic approach to Javascript-library inclusion and dependency management. How are you addressing this situation?

Smart Tools for Developers

On a related note, I recently read an interesting interview with Erik Meijer, who worked at Microsoft for many years, where he created LINQ and worked on C# and Visual Basic among other projects. He now works at Facebook and points out that programmers need smart tools to manage the complexity of software development:

“Our world today is very complicated — we are dealing with distributed systems, all kinds of models, neural nets, frameworks, new languages. We don’t have the mental power to keep on top of every new innovation and idea … your brainpower is your most limited resource, so using smart tools is a good thing. Good developers understand they can’t do everything, and they know how to leverage tools as prosthetics for their brain.”[4]

Hopefully, the smart tools do not add extra complexity and security issues. Keep IT Security Simple.

To ensure you don’t miss future blog articles, interviews and reports, please sign-up to the Curo Bulletin below.

LINKS:

[1] Node.js is one of the worst things to happen to the software industry
[2] The RedMonk Programming Language Rankings: January 2017
[3] Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web
[4] Conversations with Technology Leaders: Erik Meijer

Dan Mygind

Author: Dan Mygind

Dan Mygind is a Journalist and Computer Scientist with a strong interest in technology, technology-related businesses, and the transforming effect source code can have on society.
He has worked for startups, SMEs and global IT-organisations such as IBM as a developer, consultant, and IT-architect. With a solid technology background, he has written extensively for a wide variety of publications such as Computerworld as well as writing technical white papers for Microsoft and other companies.
He is also a published author, ‘World Storytellers

Contact Dan Mygind: mygind{at}writeit{dot}dk

The views expressed are those of the author and do not necessarily reflect the view and opinion of Curo Talent.

Your opinion is valuable. Please comment below.

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>