defnpodcast

#1 podcast focusing exclusively on Clojure and ClojureScript
Sean Poulter 2020-09-01T16:28:54.016700Z

Hello, long time listener and first time caller poster here … Can we demonstrate that projects built with Clojure and ClojureScript are secure? I’d love to hear an episode or two, conference talks, and more about that. I’ve been a Clojure(Script) developer for a year now, and I’ve recently started wearing a “security” hat. Underlying the day-to-day work, that’s the underlying question that we struggle with — can we demonstrate our product is secure? What are our options so we don’t have to switch back to Java and JavaScript? It’s pretty clear that customer demand for secure software is increasing. They want to be sure that our code and any of our dependencies is secure, but our language choice doesn’t make it it as easy for them. If the large off-the-shelf static analysis tools and CVE/CWE scanning tools don’t support Clojure and ClojureScript, how have folks in the community solved this problem? With warm regards from Canada and a sincere concern that we’re going to be programming “with some other shit” soon, Sean 🤓

raymcdermott 2020-09-02T15:16:50.037400Z

of course it can make sense to use open source tools to scan for CVEs and CWEs ... the closed source ones always use the same DB as the free ones. My major bone of contention is, as you describe, the tick-box BS.

raymcdermott 2020-09-02T15:17:07.037600Z

the tendency closes down innovation via fear

👍 1
val_waeselynck 2020-09-02T21:18:32.037900Z

Security checklists are like making sure the doors have locks while ignoring the fact that an entire wall might be missing

raymcdermott 2020-09-09T15:17:46.038300Z

the death star designers definitely had check lists

val_waeselynck 2020-09-09T16:54:17.038500Z

@raymcdermott true. That said, I humbly confess that I don't make my systems secure enough to withstand a proton rocket sent from an X-wing flown by a Jedi apprentice. I choose to make do with such DoS attacks, should they happen. But now that you mention it, I should probably update my ToS.

raymcdermott 2020-09-09T17:11:01.039200Z

Vader displease you will

val_waeselynck 2020-09-09T17:30:38.039400Z

Whenever an auditor questions my security, my answer is «I find your lack of faith disturbing».

😆 2
alexmiller 2020-09-01T16:31:26.017200Z

It's a good topic and one that does come up regularly. Large static analysis and CVE scanning tools do support Clojure (I know less about the ClojureScript side but certainly no conceptual reason that couldn't be done). Things like https://github.com/rm-hull/lein-nvd or Sonar plugins like https://github.com/fsantiag/sonar-clojure

Sean Poulter 2020-09-01T16:32:11.017800Z

Yea, the ClojureScript part seems to be the blocker.

Sean Poulter 2020-09-01T16:32:31.018100Z

(Hello and thanks again Alex! 😁)

alexmiller 2020-09-01T16:32:40.018300Z

I don't think there's any good reason for that except maybe someone plugging the right bits together

👍 1
alexmiller 2020-09-01T16:33:19.018500Z

From a general perspective, the problem is not different than the problems faced in Java/JavaScript - the top OWASP issues are the same and the solutions are similar. https://www.youtube.com/watch?v=lRHPZXKQVLk is a good talk on this

❤️ 1
Sean Poulter 2020-09-01T16:38:20.018700Z

The dependency analysis seems to be all about plugging in the right things. We seem to be missing the static analysis rules like sprintf is insecure. There’s 597 rules for Java from SonarSource and 0 for Clojure: https://rules.sonarsource.com/java/

Ivan 2020-09-01T16:41:44.019100Z

but, does it really matter how the code is written in cljs? It will, in the end, be translated to JS. That is the thing that should be checked. If the JS has a problem, then one needs to figure out whether it is a problem of the compiler or the original cljs code.

💯 1
Ivan 2020-09-01T16:43:30.019300Z

for the check though, you would be checking the thing that actually runs on the target platform (JS on the browser). checking for a thing before it is translated, even if it is correct, does not guarantee that it will be correct after it is translated.

Sean Poulter 2020-09-01T16:46:40.019500Z

Right, we can extend the same argument for Clojure and Java as well. For both cases, I’d expect there are some folks who have lived through this to have some insight on “is it worth the cost to the business to identify the causes of any problems without better tooling?“. I’m very curious if folks have experience with this and if they’d do it all over again.

Sean Poulter 2020-09-01T16:55:48.019700Z

The other issue that has been raised is that since it is a smaller language, there has been less attention from security researchers. Folks have implied that there are vulnerabilities but they haven’t been found because there aren’t as many eyes on it. I’d expect this issue may need to be addressed in a banking/higher-risk context.

Ivan 2020-09-01T17:01:32.019900Z

You cannot apply the same argument. clj is not translated to Java, but compiled to Java byte code directly. If that is not true, please correct me.

👍 1
Sean Poulter 2020-09-01T17:03:57.020200Z

Oops. I’m about a year into ClojureScript/Clojure and unfamiliar with the Clojure specifics, so sorry the confusion. You are correct. Here’s the authoritative source - https://clojure.org/reference/compilation: > Clojure compiles all code you load on-the-fly into JVM bytecode

alexmiller 2020-09-01T17:29:42.020500Z

I think there is definitely room for automated analysis of user values but a lot of that stuff may require program-specific analysis. I'm not sure how generic the issues are. Some issues around things like CORS or whatever are typically addressed at the ring middleware level and are now automatically included in the default stacks.

alexmiller 2020-09-01T17:37:03.020700Z

I think there are 597 Java rules (https://rules.sonarsource.com/java) but a lot of those are probably related to libraries that most Clojure devs never touch. And on the other hand, there are lots that look for specific Java interop calls that could be pretty easily checked in the same way via automated analysis.

Sean Poulter 2020-09-01T17:37:57.020900Z

User input is a great example. We may not have the safety net of off-the-shelf tools to do the equivalent of SQL injection attacks since we may not reach for SQL.

alexmiller 2020-09-01T17:39:34.021100Z

I'd say most Clojure users use Clojure libs with pretty good patterns that avoid sql injection in the first place, but the api (jdbc) is the same and could probably be checked in a similar way.

alexmiller 2020-09-01T17:40:29.021300Z

and then there are Clojure specific things either in libs, or stuff like using clojure.core/read without setting read-eval or using clojure.edn/read

👍 1
alexmiller 2020-09-01T17:41:30.021600Z

what I'm trying to say is - this a very tractable problem where the person/company with the right motivation could make a lot of rapid headway

Sean Poulter 2020-09-01T17:45:08.021800Z

Absolutely. That’s why I think it’d be curious to see if folks “in industry” have solved this already. There’s a pretty clear path forward if the business thinks Clojure/ClojureScript is essential to delivering the business value. You can justify the extra work and interim risk.

alexmiller 2020-09-01T17:46:17.022Z

I've had this same conversation like 10 times with different people so I think folks "in industry" have not solvedi t

😄 1
Sean Poulter 2020-09-01T17:46:48.022300Z

Over what kind of time period?

alexmiller 2020-09-01T17:46:56.022500Z

last 5 years

Sean Poulter 2020-09-01T17:47:38.022700Z

Sorry I didn’t find those before broadcasting out to the world. 😓

alexmiller 2020-09-01T17:47:49.022900Z

mostly private

👍 1
Sean Poulter 2020-09-01T17:51:17.023200Z

The other change in the business environment over that time period is GDPR coming in. For a large enough company, there is a strong financial motivation to reduce the risk of a breach: The fines for a serious infringement: > could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher https://gdpr.eu/fines/

Sean Poulter 2020-09-01T17:56:10.023600Z

The fines up to 2% or 4% of the firms worldwide annual revenue was etched into us during security training. Can we demonstrate that the team is that confident in their code and choices of dependencies? 💰

raymcdermott 2020-09-01T21:11:27.025600Z

GDPR is mostly about informed consent to the capture and storage of private data rather than programming concerns

raymcdermott 2020-09-01T21:18:48.033900Z

The environment vulnerability in Bash was exploited successfully, as was the SSH memory leak. Java was mostly removed from browsers and even OSX due to legitimate security concerns. If people think that static analysis will save them they are woefully wrong. There is a tools industry that engenders these fears and must be resisted. It kills deployment automation, costs stupid money and offers nothing compared to teams keeping their libraries and skills up to date.

Ivan 2020-09-01T21:25:33.035Z

> give me your money and my AVS (awesome vulnerability scanner™) will keep you s3cure. > -- John Clickbait clojure emphasises on simplicity through thoughtful design and by blindly putting trust to such tools could cross the line where it is contradicting the design process. on the other hand I can see how non-technical people like reports that "make sure" that things will be fine.

alexmiller 2020-09-01T21:51:54.035300Z

there are plenty of things that could be usefully checked and automated

👍 2
alexmiller 2020-09-01T21:52:48.035500Z

and also I'm always in favor of using your brain

🧟 1
Sean Poulter 2020-09-01T22:01:47.035900Z

Ray’s comment hits home: > There is a tools industry that engenders these fears and must be resisted. It sounds like there’s a trend towards more customers having a checkbox on a product acceptance form like “have all third-party dependencies have been scanned for CVEs and CWEs and included in the report?“.

Ivan 2020-09-01T22:01:59.036100Z

I agree, and to be clear on what I said above, I mentioned that there's a line that may be crossed. In other words a balance is at need. I am not against linters or compiler warnings or SonarQube .. but at the same time I recognize that I need to understand, think, design and experiment with the domain I am involved. I think it was mentioned above - the tools do not guarantee security, the same way that tests cannot guarantee bugfree programs; what they do is increase confidence that basic security measures are in place, and things will work. We should all keep in mind that automation has its own pitfalls and paradoxes; it is not a solution for everything.

👏 1
Sean Poulter 2020-09-01T22:03:16.036500Z

I’ve been coding long enough to know I trust my brain not to write secure code. 😆 We’re trying to assert that we’ve also checked the CVEs and CWEs found by those security researchers we should trust (or strong minded folks who know better).

Sean Poulter 2020-09-01T22:12:01.036700Z

Have other folks run into that? Sounds like Ivan can make a tidy sum selling AVS.