As if this weren\u2019t bad enough, patching the vulnerability became incredibly complex<\/a> due to how many other apps and service providers utilize Log4j. This meant that each app had to upgrade its copy of the library, then distribute the fix to users. The process has to repeat again and again.<\/p>\n For web designers, this hits home on several levels. We put our trust into many apps (particularly open-source). And many have third-party dependencies. It puts us and our clients at risk.<\/p>\n Let\u2019s take a deeper look at the issue and what web designers can do to stay safe.<\/p>\n The saga of Log4j has opened up a proverbial can of worms regarding open-source software in particular. In the United States, the White House held a meeting<\/a> with top tech firms regarding the security of widely-used foundational software that is maintained by volunteers.<\/p>\n Popular examples include WordPress<\/a>, Node.js<\/a>, React Native<\/a>, and OpenSSL<\/a>. Beyond that, Google has published<\/a> a list of over 100,000 projects that are deemed \u201ccritical\u201d. They\u2019re relied on by everyone from governments, corporations, educational institutions \u2013 right down to personal and small business websites.<\/p>\n This does not mean that any of the items on the list are inherently insecure. Rather, it\u2019s a measure of the potential impact a security flaw could have. As the OpenSSF Securing Critical Projects Working Group (WG) states<\/a>:<\/p>\n \u201cFor our purposes, a critical OSS (open-source software) project is an OSS project that can have an especially large impact if it has a significant unintentional vulnerability, or if it is subverted in either its source repository or distribution package(s).\u201d<\/p>\n<\/blockquote>\n To state the obvious, security holes are not limited to open-source software. Big proprietary<\/a> projects from the likes of Apple, Microsoft, and other behemoths of tech also have their fair share.<\/p>\n The difference is that these companies have the resources to ensure any issues, once discovered, are promptly fixed. Projects that rely on volunteers may not have such luxuries. Some may need to scramble to find someone knowledgeable who can take appropriate action in a timely manner.<\/p>\n And if a project is no longer maintained? It places a huge target on anyone using that software \u2013 whether they know it or not.<\/p>\n The beauty of these projects is that their volunteers are incredibly dedicated. We\u2019ve often saluted<\/a> those who work behind the scenes of WordPress, for example. The willingness of people to contribute their time and talents is a wonderful thing.<\/p>\n But as Morten Rand-Hendriksen points out<\/a>, some major systemic issues need to be addressed:<\/p>\n \u201cWe are acting as if these are still little hobby projects we\u2019re hacking away at in our parents basements. In reality, they are mission-critical, often at government levels, and what got us here is no longer sufficient to get us anywhere but chaos.\u201d<\/p>\n<\/blockquote>\n It\u2019s admirable that a group of people, no matter how small or far-flung, can build an app that makes an impact on the world. But there are no assurances that the project will be sustainable over the long term. That can be problematic.<\/p>\n As web designers, we are in an awkward position. So much of what we do these days relies on open-source projects. And we reap the benefits<\/a> of them every day.<\/p>\n The good news is that none of the issues outlined above means we have to abandon open source \u2013 nor should we. There is too much value in simply turning our backs on our favorite projects. If enough of us did so, that would likely make the situation worse.<\/p>\n Instead, we should carefully consider the apps we are using. Gain an understanding of the project, who\u2019s involved, and the challenges they face. Look at its reputation within the industry and its longevity. Examine its changelog and see how often updates are released. Consider volunteering your time if you are able.<\/p>\n It\u2019s also important to look at which third-party dependencies are associated with a project. This can be difficult to discern, but worth the effort.<\/p>\n Then there\u2019s the role of service providers such as web hosts and APIs. They are additional links in this chain. Because, even if we\u2019re certain that an app we installed is safe, we also need to rely on these providers to maintain their systems as well. Monitor them as best you can and don\u2019t be afraid to ask questions.<\/p>\n Placing blind trust in software is not a wise choice. And while it may feel nearly impossible to keep up with all of this, it\u2019s now a necessary part of the job.<\/p>\n Truthfully, we won\u2019t be able to catch every issue before it becomes something bigger. But we can keep an ear to the ground and be proactive about the software we\u2019re using.<\/p>\n The post Why It’s Getting Harder to Trust the Software We Use<\/a> appeared first on Speckyboy Design Magazine<\/a>.<\/p>\n Source: Specky Boy<\/p>\nOpen-Source Software Is of Special Concern<\/h2>\n
\n
![\"Computer](\"https:\/\/i0.wp.com\/speckyboy.com\/wp-content\/uploads\/2022\/01\/trust-in-software-01.jpg?resize=900%2C400&ssl=1\")
<\/p>\nVolunteers and Limited Resources<\/h2>\n
\n
![\"A](\"https:\/\/i0.wp.com\/speckyboy.com\/wp-content\/uploads\/2022\/01\/trust-in-software-02.jpg?resize=900%2C400&ssl=1\")
<\/p>\nWhat Can Web Designers Do?<\/h2>\n