Index ¦ Archives ¦ Atom

Code reuse is good for security

I was listen to a podcast1 recently and Stephen Ridley from Senrio said "code reuse is vulnerability reuse" and I don't like that.

I don't think Stephen is wrong, I think he is correct in a way and he is a very smart person. The problem is that you just can't squeeze a huge amount of subtlety and nuance into a three second soundbite.

I believe we are better off overall when we do reuse code. For example I was recently working on a project where I had to take untrusted user input formatted as CommonMark and render it as HTML. I could have tried to write my own parser to do that but instead I used the CommonMark-py library to change the CommonMark to HTML and then used Mozilla bleach to whitelist only the HTML tags we want.

Either of those libraries could have horror show bugs in them just waiting to be found and get me pwned, but I'd trust Mozilla to do a better job of sanitizing HTML than I can.

Or in the specific example they were talking about on the podcast; A number of IoT devices were using the gSOAP library and there was a remote code execution bug in the library which affected millions of devices. That's bad. But I still think these devices were better off using an existing library than each different vendor trying to write their own SOAP library and getting it wrong in their own unique way2.

Importantly though you need a way to track and patch all your libraries quickly and painlessly when issues do inevitably come up.

While code reuse is vulnerability reuse, I'd rather be responsible for software with a large number of (well supported, actively tracked and easily patched) 3rd party libraries than need to look after software where everything is written in house.

On balance I think that "code reuse is good for security"

  1. Risky Business #465 At 43:28 in. 

  2. Although this brings up another issue which is that monoculture is bad, because when a vulnerability does crop up it can spread like wild fire. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.