Mitigating the Supply Chain Crisis with WebAssembly

Mitigating the Supply Chain Crisis with WebAssembly

There is nothing more chaotic today than the current state of cybersecurity.

In my latest article in The New Stack, “How Web Assembly Can Mitigate the Software Supply Chain Crisis,” I discussed the relative ease with which today’s predominant method for building software allows for malware infection across all components of an application.

Until now, the method for building software relied on the aggregation of software components that often lack distinct security boundaries between them.

There are many examples where cybercriminals exploited application vulnerabilities to remotely execute attacks. Most notable are the Log4jShell vulnerabilities that have impacted nearly every Java application. The vulnerability stems from widely used methods to construct applications in two layers – the application requirements and the non-functional requirements (NFRs).

The coupling of business logic and specific libraries that support functionality creates vectors for attack or exploitation of development weaknesses.

What’s behind the attack vulnerabilities?

Enterprise applications include dozens of NFRs (web servers, web clients, database connections, message queues, logging software, and countless others). These NFRs may be compiled into the same single binary as libraries with the business logic.

When a vulnerability occurs in one of these libraries, millions of updates are required to remediate it. There must be a better way to build and deploy secure software.

Developers routinely copy and paste code to to re-apply patterns and practices, however, this only spreads vulnerabilities across a larger surface. The efficiency of copy and pasting code is quickly surpassed by the remediation effort when a zero-day vulnerability is discovered. Hundreds to thousands of components that reside in multiple applications often are impacted.

While organizations invest in many security platforms to protect applications, each platform requires a security operations team to employ it. With an increased deployment of applications the cost of cybersecurity rises rapidly as teams rush to compensate with automation and third party tooling.

Cybersecurity teams have a vested interest in encouraging developers to embrace a methodology for building secure applications as quickly as possible. Wasm may be the answer.

The power of WebAssembly (Wasm) – a portable byte code format and a corresponding text format for building applications in a sandboxed execution environment that runs in memory – exists as a mechanism through which developers can create truly secure applications.

Wasm addresses the root of most cybersecurity woes by enforcing distinct security boundaries among aggregated software components. It virtualizes external dependencies in a way that eliminates the need to continuously update vulnerable application components. Adopting this novel development approach can secure applications by default.

There’s clear reason the Cloud Native Computing Foundation (CNCF) is leading the effort to create an application development platform based on Wasm. At its core is wasmCloud – the distributed application runtime for WebAssembly.

I outlined the security benefits of WebAssembly, and by extension wasmCloud, in the linked article, including:

  • making it possible to securely create and run applications on any platform using a universal application runtime for building cloud native applications
  • moving beyond the architectures that have created a cybersecurity nightmare and grow worse with the deployment of new applications
  • the companies and open-source projects that are using WebAssembly and consortiums promoting its adoption
  • the ease of deployment on top of existing IT environments, support for and integration with modern cloud native enterprises
  • the reduction of the overall size of attack surfaces needing defense, which in turn can reduce the cost of cybersecurity

I believe Wasm, when combined with the wasmCloud universal runtime layer, are poised to forever change how developers build, deploy, and manage distributed applications running at the network edge, in the cloud, and everywhere in between. Emerging is an architecture that enables developers to build and deploy applications that are secure by default, without having to distinguish between what should be an application requirement versus an NFR to build a secure application.

WebAssembly could be just what security professionals have been waiting for.

Recent Articles

Mitigating the Supply Chain Crisis with WebAssembly

There is nothing more chaotic today than the current state of cybersecurity.

Wasm Beyond the Browser: Use Cases at Scale

During Cloud Native Wasm Day, Adobe’s Colin Murphy talked about how Adobe is using WebAssembly within its flagship web browser-based products Photoshop, Lightroom and Acrobat.

Why WebAssembly Belongs Outside the Browser

Here at Cosmonic, we believe that WebAssembly is the future. In talking to developers we found that many people still have questions about why WebAssembly would be useful for them.