Outdated Open Source Library Dependancies
I thought that this would be a good starting point based on recent news about flaws that exist in software readily available that have dependancies on outdated open source libraries.
Software libraries are pieces of code that have been written so they can be reused by future pieces of code, or to tie one piece of software to another. Most (if not all) of the software we use today relies upon libraries so that x piece of software can communicate with y piece of software or to speed up development of z piece of software.
What this means is if we, as developers, don't maintain our library dependancies as we are writing our software to keep up with the current security flaws found in said libraries, we risk exposing our software, and our users, to security risks.
Linus Torvalds has a saying that sticks in my head :: "We don't break user space."
By failing to keep our systems (and our software) up to date, we risk breaking user space. This leads to systems getting hacked, systems crashing, or our need to run legacy code on our systems because the software can't support newer things.
A lot of this can be prevented by keeping up with the ever changing world of library development and security alerts. I admit, I don't have time to read through all of the security alerts I get everyday and to keep abreast of a lot of the changes made to the myriads of pieces of software that I have installed on my dev machine, but I do make it point of updating my system at least twice a day.
As a developer I also strive to never have a hardcoded dependency on x version of software. In the future I hope that I can have a build system that can keep up with the ever changing world of software libraries but at this time the best course of action is do not build for a specific version of a library, but rather build for the library itself, that way if and when it updates you don't have to change all of your code to accommodate for that version change, it is able to see the updated library and to use that one, and if you have to tweak something it should just be minor rebuilding.
Another key to software development is that you make sure you update your software as regularly as needed with new library updates. Of course you also want to make sure that if your software provides its own libraries that it will point to the newly installed version of its dependencies.
Encourage users of your software to always have the latest software and software updates. I know it is a dirty word these days in the world of software design, but if you are offering open source software, provide the updates, provide a way for people to see the impact of not updating (saying various security updates doesn't help anyone! Be specific as to what each update does), and if it impacts security or performance require an update if possible.
We don't want to be the forgotten ones, because we fail in the department of keeping people safe. Or worse the ones that are to be blamed, and demonized because we failed.
~ Ze Angry Wombat ~
As always this post and all posts made on this blog are covered under the HLIN Public License v.2.0
https://alfheimlinux.wixsite.com/alfheimlinux/hlin-license
Software libraries are pieces of code that have been written so they can be reused by future pieces of code, or to tie one piece of software to another. Most (if not all) of the software we use today relies upon libraries so that x piece of software can communicate with y piece of software or to speed up development of z piece of software.
What this means is if we, as developers, don't maintain our library dependancies as we are writing our software to keep up with the current security flaws found in said libraries, we risk exposing our software, and our users, to security risks.
Linus Torvalds has a saying that sticks in my head :: "We don't break user space."
By failing to keep our systems (and our software) up to date, we risk breaking user space. This leads to systems getting hacked, systems crashing, or our need to run legacy code on our systems because the software can't support newer things.
A lot of this can be prevented by keeping up with the ever changing world of library development and security alerts. I admit, I don't have time to read through all of the security alerts I get everyday and to keep abreast of a lot of the changes made to the myriads of pieces of software that I have installed on my dev machine, but I do make it point of updating my system at least twice a day.
As a developer I also strive to never have a hardcoded dependency on x version of software. In the future I hope that I can have a build system that can keep up with the ever changing world of software libraries but at this time the best course of action is do not build for a specific version of a library, but rather build for the library itself, that way if and when it updates you don't have to change all of your code to accommodate for that version change, it is able to see the updated library and to use that one, and if you have to tweak something it should just be minor rebuilding.
Another key to software development is that you make sure you update your software as regularly as needed with new library updates. Of course you also want to make sure that if your software provides its own libraries that it will point to the newly installed version of its dependencies.
Encourage users of your software to always have the latest software and software updates. I know it is a dirty word these days in the world of software design, but if you are offering open source software, provide the updates, provide a way for people to see the impact of not updating (saying various security updates doesn't help anyone! Be specific as to what each update does), and if it impacts security or performance require an update if possible.
We don't want to be the forgotten ones, because we fail in the department of keeping people safe. Or worse the ones that are to be blamed, and demonized because we failed.
~ Ze Angry Wombat ~
As always this post and all posts made on this blog are covered under the HLIN Public License v.2.0
https://alfheimlinux.wixsite.com/alfheimlinux/hlin-license
Comments
Post a Comment