Efficient, Green Coding Machine: How Sustainable Computing Unity Can Reduce Attack Surfaces
Less is often more when it comes to both information security and environmentally friendly computing practices.
Reducing the carbon footprint of computing architecture could play a role not only in the fight against climate change, but also in another growing and borderless threat: cyber-attacks.
That’s according to the co-authors of a whitepaper that highlights how best practices for making cloud infrastructure secure and sustainable sometimes happily overlap with the common search for efficiencies.
“The low hanging fruit for sustainability is doing less and saving less data, which should also reduce attack surfaces.” Anne Currieco-author of draft article’The State of Green Cloud Software Practices‘ and community chair at the Green Software Foundation, said the daily drink.
Read more of the latest news on secure development
fellow co-author Paul Johnstonfounder of UK technology consultancy Roundabout Labs and a former advocate for senior serverless developers at Amazon Web Services (AWS), echoes these sentiments.
“My view is that, in general, more green means fewer lines of code, and that means a smaller attack surface,” he said. the daily drink. Johnston said this also means “better use of managed services which, again, generally means their attack surface is reduced (the services tend to be better for information security).”
Closing outdated apps and services has the same effect. “Without maintenance, zombie workloads they are bad for the environment as well as being a security risk,” reads the white paper, which also features contributors from Red Hat, Microsoft and the Green Web Foundation.
memory safe languages
Developers are urged to “rewrite the code to use a lighter framework or language. Moving from Python to Rust could result in a 10x reduction in CPU requirements, for example,” the whitepaper says. This could have security benefits insofar as Rust is, unlike Python, safe memory by default.
The white paper also endorses Golang as “an efficient and easier language than the classic HPC options of C or C++.”
Again, there is a positive correlation here with security best practices given that the US National Security Agency (NSA) recently urged (PDF) encouraged organizations to abandon languages that lack “inherent memory protection, such as C/C++,” in favor of memory-safe alternatives such as Golang, C#, Java, Ruby, and Swift.
In fact, C and C++ have been blamed for the fact that 70% of Microsoft Y Google Chrome The flaws are memory security vulnerabilities.
Rust is considered considerably more energy efficient than Python
Security and C, C++
However, it is perhaps reductive to conclude that ‘lightweight’ languages, generally defined in terms of syntax, memory footprint, and implementation complexity, are inherently more secure or sustainable in all contexts.
After all, it is perfectly possible to write a super efficient ‘green’ program in C++, but this obviously depends on the skill of the developer.
“Vulnerabilities are less likely if the language constructs make it easy or obvious, or cannot be or are unlikely to be a vulnerability,” said David A Wheeler, director of open source supply chain security at the Linux Foundation. the daily drink.
DO NOT MISS IT “We don’t teach developers how to write secure software”: David A Wheeler on reversing the CVE surge
“C is a relatively simple programming language in the sense that it has relatively few constructs; in that view, it is light. However, many operations in C (array deference, pointer assignment or dereference, etc.) do not provide automatic protections, so any mistake can quickly lead to a vulnerability.
“In contrast, C++ is a much larger and more complex language than C,” Wheeler continued. “At least by some measures, it wouldn’t be considered lightweight. However, its lack of many security mechanisms by default leads to the same problems.
Managed cloud services
Managed cloud services are also supported by the Sustainable Computing White Paper because, among other things, they offer high compute density and automatic scaling through serverless services.
However, some companies are still nervous about moving data security to shared environments. Ann Currie, software engineer and also science fiction authorconsider these fears completely unjustified.
“The cloud puts a lot more effort into information security than enterprises do,” says Currie. “It’s a classic area where specialists kick the ass of (usually) generalists in companies.”
However, Paul Johnston cautions that delegating security functions creates risks.
Catch up on the latest security best practice articles
“The benefits of a ‘greener’ approach (even if unintentional) are very positive from an IT security standpoint,” he explains.
“However, there is a potential downside in that the security aspect that is addressed by using managed services or code reduction can lead to an element of complacency about things that are often a bit more complicated. ”.
The white paper also recommends “moving more work to the client or to the edge,” which creates security challenges, albeit solvable, by extending the attack surface. beyond the data center.
Another sustainability goal is surely an unequivocal plus for safety. Currie, Johnston, and their fellow co-authors envision a future in which firmware remains backwards compatible with devices that are at least 10 years old, keeping users protected by security patches for longer.
Compliance and shareholder pressures Also, the lower running costs surely won over the tech giants. like microsoft set ambitious goals to become carbon neutral or even carbon negative.
However, Currie suspects that the potentially dire reputational and financial costs of neglecting cybersecurity are an even stronger incentive for change.
“Getting sustainability to the top of the priority list is harder than getting safety there,” she says. “The good news is that managed cloud services are usually quite sustainable and secure.”
In other words: anyone trying to persuade organizations to green their computing practices would be wise to point out any incidental security benefits in doing so.
RECOMMENDED Deserialized WebSec Roundup: Fortinet, Citrix bugs; another Uber violation; hack nft