Every piece of software we use requires some confidence. Whether it’s a content management system, an office suite, or an operating system – every app we install is a small step of faith.
We need to be confident, for example, that it is secure, that it respects our privacy, and that it works as expected. In other words: we must believe that the developer has created an app in good faith and that its use will not cause any harm.
That belief is tested daily. Security flaws, malicious attacks, and all sorts of bugs create huge challenges. And so much of an app’s reputation depends on how the developer responds to these crises.
But as we see more often, trust does not depend entirely on a major application developer. That responsibility also extends to any third-party scripts and libraries that use their product.
One prime example is the Log4j vulnerability. A fault in this popular Apache log library from Apache allowed an actor to run malicious code arbitrarily. Its effects can be devastating.
As if this weren’t bad enough, resolving the vulnerability has become extremely complicated given the number of apps and other service providers that Log4j uses. This meant that each app had to upgrade its copy of the library, then distribute the repair to users. The process has to be repeated.
For web designers, this hits home on multiple levels. We have put our trust in many apps (especially open source). And many have third-party dependencies. It puts us and our clients at risk.
Let’s take a deeper look at the issue and what web designers can do to stay safe.
Open Source Software is of particular concern
The Log4j saga opened a can of worms proverbs about open source software in particular. In the United States, the White House met with high – tech firms on the security of basic software that is widely used and maintained by volunteers.
Common examples include WordPress, Node.js, React Native, and OpenSSL. In addition, Google has published a list of over 100,000 projects that are considered “critical”. Everyone depends on them, from governments, corporations, educational institutions – straight down to personal and small business websites.
This does not mean that any of the items on the list are by nature uncertain. Rather, it is a measure of the potential impact of a security flaw. As the OpenSSF Critical Projects Working Group (WG) Consolidates:
“For our purpose, OSS (open source software) is a critical OSS project that can have a major impact if it has a significant unintended vulnerability, or is biased in its source repository or distribution package (s). . ”
Volunteers and Resources Limited
To put it bluntly, the security holes are not limited to open source software. Large proprietary projects from the likes of Apple, Microsoft, and other tech behemoths have their fair share.
The difference is that these companies have the resources to ensure that any issues are resolved promptly when they are discovered. Projects that rely on volunteers may not have such comfort. Some people may need to try to find a knowledgeable person who can take appropriate action on time.
And if a project is no longer maintained? It sets a huge goal for anyone who uses that software – whether they know it or not.
The beauty of these projects is that their volunteers are extremely dedicated. We often greet those who work behind the instances of WordPress, for example. The willingness of people to give their time and talents is a wonderful thing.
But as Morten Rand-Hendriksen points out, some major systemic issues need to be addressed:
“We are still acting as if these are small recreational projects that we are slaughtering in our parents’ basements. In fact, they are mission-critical, often at government levels, and what brought us here is no longer enough to put us anywhere but chaos. ”
It’s commendable that a group of people, no matter how small or long, can build an app that affects the world. But there are no guarantees that the project will be sustainable in the long run. That can be a problem.
What Can Web Designers Do?
As web designers, we are in an awkward position. What we do these days depends on open source projects. And we reap the benefits of them every day.
The good news is that none of the issues outlined above mean we have to leave open source – and we should not. There is too much value in turning to our favorite project. If many of us did that, that would probably make matters worse.
Instead, we should think carefully about the apps we are using. Understand the project, who is involved, and the challenges they face. Take a look at its reputation within the industry and its longevity. Examine their change logs and see how often updates are released. Consider volunteering your time if you can.
It is also important to look at the third party dependencies associated with a project. This can be difficult to identify, but it’s well worth the effort.
Then there is the role of service providers like web hosts and APIs. They are additional links in this chain. Because even if we are sure that an app we have installed is safe, we must also rely on these providers to maintain their systems. Monitor them as closely as possible and do not be afraid to ask questions.
Putting blind trust in software is not a wise choice. And while it may feel almost impossible to keep up with all this, it is now an essential part of the job.
In fact, we will not be able to find every issue before it becomes something bigger. But we can keep an ear on the ground and be proactive about the software we are using.