[RE] The State Of Software Security In 2019

by Ciprian Dorin Craciun (⁠ciprian.craciun@gmail.com⁠) on  with regard to reading

About an high level overview of the application development security at the end of 2018.

// permanent-link // index // RSS

Overview

Although it doesn’t contribute anything “technical” in nature, it does provide a nice overview of the current security state, from many perspectives (especially related to application development).

Moreover having lots of references it could be a useful start for someone doing a “state-of-the-art” on the subject.

Highlights

The following is the author’s summary:

I hope that this post is useful to a variety of security people: not just engineers, but also UX designers and researchers, project / product / program managers, people and business managers, and operations. […] This post is even more of a link-fest than usual; I hope that’s useful.

The high-order bit in much of the below is complexity. Hardware, software, platforms, and ecosystems are often way too complex, and a whole lot of our security, privacy, and abuse problems stem from that.

The following statement I couldn’t agree more with (especially since I’ve tasted a little bit of the npm madness…)

Dependency slurping systems like NPM, CPAN, go get, and so on continue to freak me out. They might potentially be more dangerous than manual dependency management, despite the huge risks of that practice, precisely because they make it ‘easy’ to grow your project’s dependency graph – and hence the number of individuals and organizations that you implicitly trust.

And in the end two goals that I think are important for the future “sanity” of our ecosystem. (Although I really doubt they’ll become true any time soon…)

Here’s what I want to see in 2019: