Eco-design for more cybersecurity
The principle of eco-design is regularly spotlighted through graphical interfaces by optimizing the resolution of images or videos, and regarding accessibility to people who have difficulty using certain technologies or disabilities.
But what does this concept mean in the context of an IT infrastructure or a data processing server?
To what extent can a digitally sober architecture contribute to strengthen software security ?
When you consider all of the fundamental factors related to eco-design, traditional application development is almost entirely called into question.
A working application is no longer a sufficient criterion for acceptation !
Systems are now required to evolve and anticipate needs that will arise during its lifetime, but also to ensure the sovereignty and security of the code that processes sensitive data and consumes hardware resources in data centers.
The number of infected machines (botnet) in the world are in the tens of millions, and are used every second for malicious purposes.
- Who then bears the responsibility for large-scale cyber attacks?
- Can the negligence or ignorance of the developers of vulnerable applications be blamed?
The principle of digital sobriety, which overlaps very strongly with that of eco-design highlights the importance of limiting the possibilities built into the applications to identified functionalities.
In other words, avoid including behaviors that are not necessary or that are not used. Thanks to reduced source code, applications will be able to run more efficiently and the risk of breaches will be reduced.
The temptation to use rich external libraries is still too present in classical application development methodologies, which inexorably leads to more complex infrastructures and the loss of code ownership.
The damage is significant if a new vulnerability (zero-day) is discovered in a library used by millions of applications around the world!
Not an isolated case:
- In April 2014, the « Heartbleed » vulnerability affected millions of web servers around the world, and drew attention to the fact that this critical component was only mastered by a handful of volunteers.
- In June 2021, LinkedIn was hit by an attack exploiting a zero-day vulnerability that affected nearly 700 million user accounts.
- In December 2021, a new « Log4J » flaw was discovered in a minor component embedded in thousands of applications that allows remote control of servers.
Security breach !
It all started at the end of November when a vulnerability was observed in Log4j, a component present in the application library suite provided by the Apache foundation. And it was officially on December 10 that a researcher unveiled a way to exploit this loophole. A feature ignored by almost everyone then became a « zero-day ».
The race begins to assess and see the potential harmfulness of this security breach. This software dependency is present in thousands of programs useful for operating millions of servers around the world. Even worse, it is present even though developers and users do not even know whether the component is useful, or even used and very often what it is used for.
This type of problem has the merit of highlighting some latent bad practices that we can observe in the IT world.
A fix is quickly available, but cyber attacks multiply in an attempt to exploit the flaw that affects many cloud services. According to researchers from the Wiz company, 93% of cloud environments are at risk, while in early January 2022, only 45% of them have been fixed.
Lessons to be learned?
On January 10 2022, in an article titled « widespread free software on the Internet deliberately sabotaged by their creator » the Le Monde news channel highlights the dependence of the biggest players on open source projects.
« The problem is recurrent: most modern software uses freely accessible and modifiable software bricks, created by independent developers, who are often the only ones to ensure their updates and their follow-up, on a voluntary basis. »
We follow this new awareness regarding third party dependencies with lots of interest. The distribution mode, proprietary or open source, does not affect the severity of the vulnerabilities that may be present in code written, after all, by humans.
And what about digital sobriety ?
Let's be honest, eco-design and digital sobriety do not guarantee the quality of the source code. However, these are modern practices that allow application developers to reduce the risks and unknowns linked to unmanaged components. Knowing your system, knowing what it does and how it does it, is essential today to ensure the integrity and resiliency of applications.
It is on this global observation that the Aeonics software is based.