The Stack Overflow Podcast

Feeling insecure about your code's security?

Episode Summary

The home team talks about developer-first application security, the benefits of security-as-a-service, and whether a TikTok trend is GDPR-compliant.

Episode Notes

This “Trojan source” bug (get it?) could threaten the security of all code.

In its annual report on its user community, GitHub found that developers appreciate automation, reusing code, and remote work. (No surprises there.) 

Ceora explains how automation and code reuse are game changers for independent developers and how this logic is spreading to big tech companies, too.

GitHub’s first Chief Security Officer has the company focused on keeping your repo secure.

GDPR  makes you legally responsible for data someone else shares with you. That’s just one of the reasons it’s not a good idea to solicit personal information through a form and then read those secrets on TikTok.

Episode Transcription

Ben Popper The only thing that's protecting you at a real level from a serious threat actor is that like, you're not an interesting target, right? [Ceora laughs]

Ceora Ford Hopefully never.

Ryan Donovan Career goals.

BP Yeah, career goals. Want to have a target on your back.

[intro music]

Couchbase Capella DBaaS is flexible, full-featured and fully managed — with built-in access via K/V, SQL and full text search. It’s blazing fast, yet surprisingly affordable. Visit couchbase.com/stackoverflow to try Capella today for free - no credit card required.

BP Hello, everybody. Welcome back to the Stack Overflow Podcast. I'm your host, Ben Popper, joined as I often am, by my wonderful co-hosts, Ryan and Ceora. Hi y'all.

CF Hello!

RD Hey! How yinz doing today?

BP Yinz pretty good. If you have suggestions for gender neutral or wonderfully regional--

RD It's the second person second person plural. 

BP Second personal plural. We're accepting suggestions. So today, I wanted to start off with something from the reader mailbag, because we get these sometimes, and I don't always remember. So listener email to ask him to discuss a story from Krebs on Security, a very well known and long time source for serious security news. The headline reads 'Trojan source bug threatens the security of all code' which sounds a bit alarmist. But Ryan, I saw you responded to and said, holy crap, this is a wild bug. So walk me through a little bit of what's happening here. And then we can discuss what it means.

RD Okay, so I scanned through it. But basically, the bug isn't in code itself. It's in Unicode. So they can put these Unicode basically substitution characters within comments. And unless every open source repository is checking comments pretty hard, it can slip something in that'll, at compile time will turn into different code.

BP So this is a Unicode character, you slip into the comments that at compile time, transforms into something that is meaningful to the code?

RD Control characters is what they're called.

CF Did the article ever mentioned that this bug was introduced into like, a real world project or product before? And like, kind of mess things up?

RD I'm not sure. But it may be one of those, like, research bugs that somebody found, like, I don't know if anybody has successfully implemented like, row hammer, memory bugs, or the ones where you listen to the computer to get the timing. 

BP Yeah, I mean, the funny thing is, they're like these very technically interesting and dangerous sounding bugs. And then in the end, what works for the people who commit cybercrimes it's just like blunt force, mass mail ransomware, where they just send 10 million emails and get lucky 200 times.

RD It's just using existing bugs against unpatched computers is that's basically the big, big problem.

CF I always get nervous about cybersecurity stuff, because I think I've said this before, but I'm not. I tried to be relatively safe with like, tech things. Just like in general, even when it comes to like building my own projects and things like that being like, you want to make sure that your API keys aren't visible to the world, all that kind of stuff. But I feel like there's a whole world there that I'm missing out on. And if I knew more, I would probably be like, Wow, it's a shock that no one has ever hacked me, thus far. This kind of stuff always makes me realize, like, there's so much I don't know, in the cybersecurity space. Honestly, I don't really know where to start to learn more. But yeah, I always have this realization for articles like these, like, bring things to my attention that I could never even imagine. 

BP Yeah, I mean, I think the only thing that's protecting you at a real level from a serious threat actor is that like, you're not a interesting target, right? 

RD Not yet. [Ceora laughs]

CF Hopefully never.

RD Career goals.

BP Yeah, career goals. Want to have a target on your back. I just mean, like, if you become a corporation need a cybersecurity team, I'm sure if you're a very wealthy and famous individual, you have your sort of like own private cybersecurity, like you have a bodyguard, you know, there's no way an ordinary person can keep up with all the evolution of flaws and vulnerabilities. But luckily, you don't have to think about it that often, you can sort of fall back on, you know, the companies that you're using the platforms that you're using. You know, you make a good point, which is like, as soon as you become a developer, and you're working on independent projects, solo projects, and you're sharing them online, then you do have to worry about security for yourself and for your users. And so we've had a couple of interesting guests on the podcast and I think this is an emerging sort of business, which is like security as a service, you know, like, let some other company create this. And they have an API or you know, they have a set of integrations. And they can basically, you can pay a small fee, basically, to keep your security, you know, patched and up to date.

CF I think maybe one thing that I would like to learn more about in the future is like security, authentication, all that kind of stuff, because I don't have like a big project that has like users and things like that. I know tons of developers who do and I would fear that if I have like an online store where you can make an account and you give us your card information and all that kind of stuff, I don't feel like I know enough about all that stuff yet to like be able to feel comfortable with people giving me that information. So if I ever decide to go that route, like so many other people, I would definitely have to do some more research for sure.

BP I think that's the area where microservices, how like you build your project that has some new utility or some community around it, and then you use some Stripe for pay payments, and they handle all the security and you just plug it in.

RD Or you have your own security micro service if you're you're big enough, but I think yeah, that's that is a place where there's a lot of libraries out there a lot of things just to handle the security for you. And really like most of regular security is just, you know, having good firewalls and updating your system, installing all the security patches.

BP Always be patching.

RD Always be patching.

BP Paul Ford had a story he liked to tell about this, he made like a joke on Twitter about anxiety box, which was like a little thing where you could put your anxieties in there. And it would like remind you, and it's sort of like, you know, when you'd like write down something you want to forget, and then you burn it. Sort of like, you know, you're like you make it material, you make it an object, and then you can sort of like get some emotional distance from it. So you made this thing anxiety box, and joked about how was a good way to deal with that stuff. And people could send him stuff, and made it like open. And then he woke up the next morning, and like 800 people had put, you know, their medical history and psychological problems into this Google spreadsheet, and now he's responsible, you know, in some way for protecting their privacy of this, like very sensitive data, like really didn't want to do that. [Ryan laughs]

RD He just learned about HIPPA real fast.

BP Yeah, be careful when you open the door. People will come charging right in.

RD I mean, people need a space for their secrets. Like there's a site that did that a while back. And, you know, that's basically what Catholic confession is right? It's a heavier anxiety box.

BP That's a literal anxiety box.

CF This just made me think of this trend on TikTok, but some people what they do is they'll have like a Google forum, where people will like send them like confessions. And what they do is they make a TikTok like reading people's confessions. And they have like, tons of videos like where they just go through like some of the weirdest stuff that people have been like, admitting to and it's kind of weird. I just thought about that just now though. And like, I never would have considered like, yeah, this is sensitive information that you probably shouldn't be sharing with a stranger on the internet. But like, you know, you can't control people do so.

BP Yeah, some people will send it from what's clearly, you know, an anonymous protonmail. And some people send it from like, first name dot last name at Yahoo. And it's like, we shouldn't do that. 

RD Well, they're consenting to have it read. And then it's also depersonalized. Right? It's just like, here's my secret not attached to me.

BP The thing about GDPR is that the like, once you become like a controller of the information, you have a lot of responsibility. So if that person sent you the email from Europe, and then later they asked to delete it, or you know, it gets shared in a way that they didn't want, you're legally responsible. Even if you don't live in Europe, and you have no idea where this person is from.

RD Y'all TikTok users better--

CF Be careful!

RD Get GDPR compliant.

BP Get GDPR compliant, quick. Alright. So I had a link here. It's the latest GitHub survey finds developers like automation, reusing code and remote work. Which, okay, duh, I kind of get all that. But I did think there's some interesting stuff in here as it relates to Stack Overflow and Stack Overflow for Teams, which is basically that, you know, this idea of having things which are pre-made, and that you can borrow from, which is, you know, essentially what you know, a library is, is incredibly useful and commonplace, we know people are copy pasting from Stack Overflow all the time. And that increasingly, this is something that teams are building into their DevOps pipelines, their workflows, to make it easier, especially at scale for folks to work quickly and reliably. I guess I put it out to the two of you, in what ways do you find, you know, automation, or code reuse becoming part of the way you do work? Or, you know, do you think this has always been the case, we're saying, this is modern, but really, this is just the way it always has been?

RD I mean, I think a lot of the automation code reuse, even though it makes things easier, there's a little bit of a barrier to entry to set it up. You know, even we use Monday.com and it's still a little bit of like logic programming to get it to work, right? Even though there's no code at all. It's just putting down words. And as far as code reuse, I don't really use code the first time, I just talk about it.

CF I will say that I feel like all these like micro services and libraries that we rely on, I feel like that's probably something that's fairly new. I'll say for myself, too, when I was first first learning how to code and I learned about like, oh, you can use other people's API's and libraries to like, build projects, build your applications, whatever. I thought that that was like cheating. I thought like, I'm stealing someone else's code. And I'm not really like doing the logic myself. But now, do I feel that way now? Absolutely not. Because especially for like small startups or like solo founder, indie founder, whatever indie maker is what they call themselves. Thinking about some of the products that people like that built, there's no way that they could build like all that kind of stuff from scratch. I know there's like tons of different projects out there. There's ones where it's like, Oh, if you want to travel somewhere, there's one website, I forget the exact name. But it basically tells you like what the weather's like there, what the safety levels are, like all that kind of stuff. And like popular tourist locations, or popular cities around the world. And this was built by one person. And I'm sure that if they had to, like, build everything from scratch, they wouldn't have been able to launch that product as quickly, as efficiently, as they have. 

RD They don't have thermometers all over. 

CF Yeah, like, they don't have tons of stuff that is needed for that kind of thing. And I guess we're seeing like that kind of creep into, like the big tech world as well, where more now, bigger companies are also like, okay, instead of us relying on building this code out ourselves, let's just use a company or a product that did it already. Which is interesting. I think that presents different problems. But I do think it helps, it can help, to cut down on like, development time, and even like your error margin and all that kind of stuff.

RD I mean, I think it's a little more democratized now, because it's open source, and it's free, and it's an API you just hook into, but I think it's been going on forever, you know, you have an operating system, and, you know, maybe you'll get one of the libraries, the file management libraries would be from somewhere else that the operating system makers just purchased.

BP I mean, version control, modern version control, and being able to do that online, you know, remote distributed in real time, I think was a pretty huge change, right? It used to be you had to go out and get a disk, or you had to get the software somewhere, bring it home, maybe you were borrowing somebody's stuff, but there was no way for them to update it to you or for you to pass changes back to them, you know, obviously, with like Linux and stuff that began to happen over listservs and bulletin boards, and you know, people could, you know, flow back and forth. But yeah, sort of the, the modern NPM, install, you know, libraries, API's, and micro services everywhere, where you can literally, you know, you're like grabbing building blocks off the shelf, as you're coding something at home, that feels like it's coalesced in the last four or five years into something that, you know, makes starting from scratch pretty, pretty easy and pretty amazing.

CF The cool thing about these things is that they're built by other developers and other developers know what our main pain points are. So like, we just talked about security, there's a couple other things that developers, when you're building a project a lot of developers just don't want to deal with, they want to just build the core logic of whatever they're building, and all the other extra stuff like deal with later, or deal with never, or as little as possible. And because other developers are like aware of what these pain points are, they've created so many cool services that like will take that off of you. I do think that it can present like other problems, though, for instance, like, if someone changes their API, they change something about their product and you're not aware of that. It could trickle down to like the core like, again, the core logic of your whole application. And like, like, for instance, I think people usually like to turn to the whole, like online store example, because that's easier to understand. But like, if you're using an outside service to handle your authentication, and all that kind of stuff, and they change something, and it's a breaking change that could ruin like your whole store. So your users can't even make purchases and things like that.

BP This is from November 4 2021, popular koa NPM library hijack to steal user password. So like somebody hijacks, you know, a library that everybody's just using, as you know, plug and play and all of a sudden, and this happens on Stack Overflow, too. You're essentially copy pasting a security vulnerability to every new project that uses this.

RD Yeah, I mean, anytime you use something that somebody else maintains, it's liable to be changed underneath you. I have this chrome plug in that basically put tabs to sleep because I'm a monster with. I have 100 tabs open right now. If I wasn't using them, it would put them to sleep. And I think that's great. Not using up memory. At one point I had to get taken over by different project runner and was starting to insert ads secretly into everything.

BP Is mining Bitcoin in the background with your CPU? 

RD I was like, oh, geeze.

CF I guess like a lot of these companies like the bigger companies like the ones they handle like security and authentication, and this and that, whatever. I think they tried to make their users aware of like, the changes they're making that could potentially be breaking changes. But like, of course, especially if you really are just doing the plug and play thing where you're just like, I'm just gonna copy and paste this and hope for the best and you don't really know what's going on. Like, you might not really understand what those changes are, which could be a problem if they do end up interfering with like, yeah, your application. 

RD Even if they're doing their best due diligence to let everybody know, like, it's not always gonna filter down to everybody if you just have have something as a dependency sitting in your repo. 

BP Yeah. I mean, the truth is that we rely on the big platforms to look after this for us, like you would rely on your operating system, your email provider, your browser to do so much of the work for security, and probably you would start rely on, you know, your IDE or your version control system to give you these kinds of warnings. In the future, you would hope that they're running these kinds of checks in the background. I know GitHub has actually made it has actually announced a pretty big focus for the next couple of years on trying to help improve developer security, essentially, by alerting people who are using plug and play technologies, you know, or borrowing from libraries when things might be include a vulnerability.

RD That dependency check. 

BP Yeah, exactly. Let me just give a shout out to Joseph Clem from Bluemont Communications for sending over that Krebs On Security link. Joseph, thanks for sharing with the show. We appreciate it. We're always interested to hear what people want us to talk about. 

[music]

BP Alrighty, it is that time of the show. Thanks today to Oliver Rodini, who helped answer the question about 'how do you clone an array of objects in TypeScript?' Alright. Thanks for listening to show everybody. I am Ben Popper. You can always find me on Twitter @BenPopper, email us podcast@StackOverflow.com. And if you'd like to show, leave us a rating and a review. It really helps.

RD I'm Ryan Donovan. I edit the blog and the newsletter here at Stack Overflow. You can find me on Twitter @RThorDonovan. And if you have a great idea for a blog, please email me at pitches@stackoverflow.com.

CF And I'm Ceora Ford. I'm a developer advocate at Apollo GraphQL. And you can find me on Twitter @ceeoreo_.

BP Alright, everybody. Thanks for listening and we'll talk to you soon.

CF Bye!

[outro music]