Yellow Flag on Nostr: I may be stating the obvious but I see Murphy’s law as the guiding principle for ...
I may be stating the obvious but I see Murphy’s law as the guiding principle for security and privacy design: “Anything that can go wrong will go wrong.”
Doing manual memory management? Someone will inevitably introduce a use-after-free vulnerability.
User input has to be escaped everywhere? Sorry but you will have XSS vulnerabilities because someone forgot escaping and the reviewer missed it.
Storing users’ location data? Too bad, some attackers will get their hands on it and abuse the hell out of it.
More checks and balances will only get us so far. Patching to stay ahead of the attackers will only get us so far. What really helps is eliminating the potential for mistakes.
Memory-safe languages don’t require every contributor to be an expert in order to avoid memory errors. There are frameworks which will perform any required escaping actions automatically, or even avoid the need for these completely. And you can always reconsider collecting data that you can do without, or you can at least choose not to keep it. You cannot leak data that you don’t have.
As developers, we are sometimes trapped in the mentality that us being experts we won’t make a mistake. But even if everyone on a project were an absolute expert, all people have their bad days. Systems should not be designed with the expectation of people who won’t mess up.
Doing manual memory management? Someone will inevitably introduce a use-after-free vulnerability.
User input has to be escaped everywhere? Sorry but you will have XSS vulnerabilities because someone forgot escaping and the reviewer missed it.
Storing users’ location data? Too bad, some attackers will get their hands on it and abuse the hell out of it.
More checks and balances will only get us so far. Patching to stay ahead of the attackers will only get us so far. What really helps is eliminating the potential for mistakes.
Memory-safe languages don’t require every contributor to be an expert in order to avoid memory errors. There are frameworks which will perform any required escaping actions automatically, or even avoid the need for these completely. And you can always reconsider collecting data that you can do without, or you can at least choose not to keep it. You cannot leak data that you don’t have.
As developers, we are sometimes trapped in the mentality that us being experts we won’t make a mistake. But even if everyone on a project were an absolute expert, all people have their bad days. Systems should not be designed with the expectation of people who won’t mess up.