We don't write literally everything we use. More efficient, often more robust. Don't roll your own crypto, DB, networking, etc. all at the same time! Dependencies come with risk. Like nasty security holes in things you depend on: failures in the software supply chain.
-
-
Prikaži ovu nit
-
Different failures have different causes and different players: * Language -- enables trust * Ecosystem -- propogates and limits trust * You -- the consumer of the software
Prikaži ovu nit -
-
Let's start by talking about the language (especially because Go is
@FiloSottile's job ;) ) Provenance is trying to establish a universal name and permanent version for each piece of softwarePrikaži ovu nit -
Can't identify a problem with dependency without identifying the dependency! Python: PyPi, pipenv Rust: http://crates.io , cargo Node: NPM Ruby: http://rubygems.org
Prikaži ovu nit -
Go solved this differently: minimum version selection. You specify the minimum version which is OK, then the system will use the highest version which is required by you & your dependencies [ Nice. Dealing with this in Python is a PAIN. ]
Prikaži ovu nit -
Go specifies modules including a URL path that tells you where the code is. That avoids the risk of using old stuff which is taken down. Availability: making sure the code is still available in the future, even if someone rage-quits the internet
Prikaži ovu nit -
Go proxy protocol from Google will cache code (as long as license allows it) to ensure availability. You can run your own proxy, it's open. How can you trust the proxy or any central entity and no trust on first use *and* not require authors to do key management?
Prikaži ovu nit -
Solution: the Go checksum database The goal is to solve "is everyone looking at the same code" rather than "is this the right code". Because if the author is one of "everyone", then they can dispute issues. [ Hey, it's a transparency tree! ]
Prikaži ovu nit -
[ Goes on to describe a transparency tree - basically all the hashes get jammed into a Merkle tree, so you can prove that the hash is a member of the tree and you can't just take it out or change it without the tree checksum breaking. So you just need multiple parties to verify ]
Prikaži ovu nit -
[ If you want an overview of how transparency trees work for SSL certificates, check out: http://www.certificate-transparency.org/log-proofs-work ] [ Transparency trees are very handy. Especially if you don't want to impose UX and key management tasks on end users. ]
Prikaži ovu nit -
Ecosystem: on top of this, an ecosystem will build and develop trust relationships Importing a dependency delegates a degree of trust to it and to its transitive dependencies A healthy ecosystem fights this like technical debt -- all of those dependencies represent risk
Prikaži ovu nit -
Go proverb #8 a little copying is better than a little dependency. [ Note that this suggests that the same security hole would need to get fixed in the copies. That's a real tradeoff. ]
Prikaži ovu nit -
Go also makes sure that only the modules that actually end up in the running code can affect things. For example, if you use a library that uses a 3rd party library for testing, that doesn't end up in your code.
Prikaži ovu nit -
Organization: manages and mitigates trust through * tracking past vulns * auditing * looking at current practices There's more work to be done in vuln tracking [ heck yeah see that USENIX Security talk ]
Prikaži ovu nit -
Prikaži ovu nit
-
* Tests, fuzzing, and CI Security reporting * Maintenance status * Sustainability -- this is import for security! if it's one person maintaining and they quit, you can't update any more
Prikaži ovu nit -
Even if you don't have the resources to read all the lines of code that you depend on, you should be looking at all these pieces of the pyramid [ the things in this talk ] first
Prikaži ovu nit -
-
Question (from me): if you encourage copying, then how do you encourage getting security holes fixed in the copies A: That's a real tradeoff. There's a talk in this session about it, in fact!
Prikaži ovu nit -
Q: Really impressive pushing this down into the language and ecosystem level. How about pushing down things like vuln management to the language level as well? A: I think about that a lot, I think tooling and language can help but at their core a lot of these are process issues.
Prikaži ovu nit -
@estark37: can you walk through what happens when malicious code is discovered in the checksum database A: that's not the job of the checksum database -- it is just there to make sure that everyone sees the same thing. We don't pull out insecure code because it's still real.Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.