Cappos: Major security problems can start with minor bits of code

Software programs can often be brought down by “some seemingly insignificant component, without which it fails.” Thus writes David Geer in a commissioned article in Communications of the ACM that looks at “how software stays so fragile despite industry efforts to stabilize it.” The article, published in October, examines “tendencies and trends” that “inflate coding errors”  and expose the software to failures and attacks. To do so, Geer calls on a number of cybersecurity experts, including Dr. Justin Cappos. associate professor of computer science and engineering at the New York University Tandon School of Engineering,

One such tendency is the way is which small modifications to programs can have disastrous effects. “In a prominent example,” Cappos explains, “the author of the left-pad NPM software package removed it from the NPM registry over a trademark dispute.” The content removed was only 11 lines of code, yet it was sufficient to cause “massive outages across a wide array of programs that relied on NPMs.” Another problem, he points out, are the large codebases most code bases have and the corresponding number of dependencies. Complex dependency chains  can “leave developers unaware of the software their code uses, how developers wrote it, and whether it’s secure,” Cappos adds.

Other “tendencies and trends” include  technical debt, which the Geer article defines as the “work you owe software to fix imperfections you ignored to accelerate delivery.” This “technical debt” can include workarounds to avoid breaking legacy systems, which, Cappos affirms, “create new vulnerabilities and leave old ones untouched.” Exacerbating this situation is developer turnover. “The software’s creators may have left the organization, and the programming language may be unknown to the current development team, which leads them to avoid modifying legacy code,” he says.

The full article text can be found at