Although it doesn’t contribute anything “technical” in nature, it does provide a nice overview of the current security state, from many perspectives (especially related to application development).
Moreover having lots of references it could be a useful start for someone doing a “state-of-the-art” on the subject.
The following is the author’s summary:
I hope that this post is useful to a variety of security people: not just engineers, but also UX designers and researchers, project / product / program managers, people and business managers, and operations. […] This post is even more of a link-fest than usual; I hope that’s useful.
The high-order bit in much of the below is complexity. Hardware, software, platforms, and ecosystems are often way too complex, and a whole lot of our security, privacy, and abuse problems stem from that.
The following statement I couldn’t agree more with (especially since I’ve tasted a little bit of the
Dependency slurping systems like NPM, CPAN, go get, and so on continue to freak me out. They might potentially be more dangerous than manual dependency management, despite the huge risks of that practice, precisely because they make it ‘easy’ to grow your project’s dependency graph – and hence the number of individuals and organizations that you implicitly trust.
And in the end two goals that I think are important for the future “sanity” of our ecosystem. (Although I really doubt they’ll become true any time soon…)
Here’s what I want to see in 2019:
- Socializing policy thinking in the engineering community. It’s time to put on our grown-up clothes. The stuff we do matters (otherwise we wouldn’t do it, right?), and that means we need to think about and deal with the consequences.
- Eroding the idea that memory-unsafety is acceptable, and shipping more software in safe languages that would previously have been written in an unsafe language. This includes not so much straight-up rewrites of existing applications […]; mostly, I see piecemeal, in-place rewrites of components (like Servo), and also new applications in well-established categories (like Xi and CrosVM). New applications also give us a chance to re-think old designs, as Xi notably does (with its cross-platform, client/server, multiple-front-end design).