On the Insecurity of Software Bloat
Good essay on software bloat and the insecurities it causes.
The world ships too much code, most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code. Efforts are ongoing to improve the quality of code itself, but many exploits are due to logic fails, and less progress has been made scanning for those. Meanwhile, great strides could be made by paring down just how much code we expose to the world. This will increase time to market for products, but legislation is around the corner that should force vendors to take security more seriously.
Adam • February 15, 2024 7:27 AM
I remember watching a video with Brian Snow (of NSA) and Dan Geer (of In-Q-Tel) and Brian talked about how they took a standard office package and were able to remove 80-90 % of the code and still maintain all the functionality. Because of inefficiencies in the code and poor working structure of the people who wrote it. It is in this video:
https://www.youtube.com/watch?v=vM2pcRtOb6Y