The increasing complexity of web technologies could open a can of security worms in web applications
Web Development is the gateway drug to software engineering. Especially in the early days in the 1990s you could just fire up Notepad.exe and start hacking together something that you could then publish to the world. The capabilities of browsers were very limited - the worst you could do was copy-paste a script that crashed Netscape. Boohoo.
After the web became commercially interesting the complexity of web applications started increasing. Critical business applications moved to the web, credit card details and other sensitive information was sent over the wire. Together with the increasing adoption this created incentive for hackers and criminal actors to start targeting the web.
Typical vulnerabilities from this era are SQL Injections and Cross Site Scripting (XSS). Together with unmaintained components software with known security vulnerabilities, these two types and variants of them continue to be the most common type of security blunders on the web. Each month SQL Injections and XSS issues continue to be found in established popular Open Source projects like WordPress.
Both SQLI and XSS are essentially all about sanitising the user input. Over the years best practises regarding them and frameworks often take them into account. Using tools Database Abstraction Layers (DBAL) and autoescaping templating engines like Twig often take care of these issues without consideration. However, these still continue to be widespread issues even in new projects, simply because they are easy make and exploit.
Can it be that it was all so simple then?
As of recently though there have been advancement in the field. There have always been innovations in computing, but now the pace is probably faster than ever before. Architectures like Microservices, Serverless and technologies like Angular, Redux come and go through the door faster than Muhammad Ali went to bed in his good days.
Some feel that they're working with "horrible legacy", because the next big thing is already used by rock stars in San Francisco. This magpie developer behaviour is a thing in itself, and you can keep working with older technology just fine. But increasingly the skillset needed to develop even the most basic of things has grown exponentially.
This is best manifested by the fabled Full Stack Developer and DevOps roles. Suddenly it seems a common expectations that developers should know everything from the database layer to the latest CSS rendering techniques as well as trouble shooting networking in a containerized environment.
These things are not rocket science, but they are still complex issues which will take time (and capability) to learn. Installing a tool and doing a hello world with it does not replace hard work, cursing and sweatting required to learning to learn software intimately.
These layers of complexity have always existed. I had no idea how an operating system's multitasking scheduling works when I started working with web development, and I still don't. And I didn't need to, that was the beauty of it. With the advances in browser technology specifically, things have gotten way more powerful and complex.
Users face threats unlike ever before in the history of the web
In the good old days of Web Development (just kidding, nostalgia is never good here) things were relatively simple. You had a server and a browser. These exchanged data and had some hacks like Cookies to make sessions to enable interactive web applications. To deploy your you'd send your code over to the server and be done.
Nowadays a lot of things are much better, we've got loads of top notch Open Source components to use, code is in version control by default and hosting in the cloud costs peanuts. However the individual knowledge required by a single individual to truly understand what is going on under the hood is nowadays virtually impossible. I could've said I was a Full Stack Developer in 2005, maybe in 2010, but certainly not in 2018.
Development of web applications is more complex, but talented individuals can create down right impressive results in a short timeframe. With the capabilities of browsers to execute native code via WebAssembly, and access GPU resources the possibilities are truly endless. However all of this adds up and knowledge of the "low level" tools of the web (HTML, CSS and JavaScript) can be eroded. Abstraction is fine, but once the abstractions become powerful they are also vulnerable to malicious activities.
There are loads of things today that I can do with web technologies, but there are also a lot more things I should take into account. Here are just a few examples of what kind of issues have been widespread in the recent years, that were "not my problem" in 2008:
- Malicious library packages from repository: Installing JavaScript modules from a trusted source (NPM) downloaded malware that downloaded credentials.
- Paying a ransom to restore my database: MongoDB default installation listened to connections from anywhere without auth, leading to extortion of exploited installs
- Setting up a cluster with distributed services: Architecting software that runs tens of domain specific apps - autoscaling to thousands of nodes! For a pet shop website.
- Someone tapping my battery for profit as I surf: Bitcoin and other Cryptocurrencies were all the rage in 2017. Mining on website visitors' browsers is common in 2018.
- Leaking my Excel data when browsing a website: The Spectre vulnerability allows JavaScript to break out of the browser sandbox and read arbitrary data from RAM.
- A CSS keylogger got my passwords: A combination of CSS and a simple web server can be used to create a keylogger to steal what I type locally. A stylesheet.
Conclusion
The web is much better than ever before. In addition to being a great medium for publishing content, it is also a capable application development platform for mobile and desktop devices. Finally the web is the mobile development platform the iPhone originally aspired it to be. The web is everywhere, and Billions of people depend on it every day.
The negative side effects of this is that it is now a tempting target for foul play. For over 25 years the web platform has had an impressive security track record, which continues to this day. Application level exploits are one thing, but we all depend on a small group of people working on browsers, popular libraries like jQuery, React or WordPress.
The big picture is that the web is increasingly critical, yet increasingly built by amateurs who have no idea what they are doing. I certainly fell like I know less each passing day. Even consuming the web is more intimidating nowadays. The web really is better than ever before, but I recommend being more considerate when creating and consuming it.
-- Jani Tarvainen, 02/03/2018