![]() Is it really that hard to write native code these days? To me as a consumer, it also really drives home the idea that security isn't paramount for these developers, it's an afterthought and a bit of a gamble, really.Ĭlick to expand.The thing that worries me though is that almost every CVE targeting Chromium is inherited by Electron. I have a ton of complaints about Electron "apps", but my biggest by far is that it's simply too gigantic and includes so much code from so many places that building simple apps like a password manager or a glorified IRC client with it (and you know people send passwords and other sensitive info in slack) is not just a bad idea, but kind of ridiculous. I don't know if it's because I'm old or what, but what I learned in my early days (had drilled into my brain by coworkers actually) about security is that a general rule is that the simpler you can make your application, system, OS, etc., the easier it is to secure it. This is one reason I left 1Password - there was no need (other than profit) to move to Electron, but they did anyhow, likely to save money even though they are drowning in cash. Many attacks these days chain together flaws from different vendors that by themselves aren't that big a deal, but in combination will give you the keys to the kingdom. Design flaws are easier to spot if the API is open, and MS is famous for hiding APIs.īut security researchers are starting to get better tooling to both be watching what the black hats are doing AND methodically analyze the software in use. As we see Microsoft jump on the Rust bandwagon, we may see fewer issues in this area. I'd argue that many categories of flaw are due to compiler choice more than anything else. But many flaws exist whether the source is open or closed it's just as easy to run fuzzing and opcode analysis over Microsoft software as it is over Linux software, and in general, the MS stuff gets more eyeballs, both black hat and white hat. ![]() ![]() Some flaws can be minimized due to the source being open. We recently had an OSS flaw discovery, found due to 0-day use, that has been present since the 1990s. ![]() Click to expand.I don't quite follow that. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |