Nov 22, 2019

Avoiding the mayhem of modular code from the beginning

Bytecode Alliance

A handful of tech giants—including Mozilla, Fastly, Intel, and Red Hat—announced the formation of the Bytecode Alliance, a new initiative to create a more secure and composable future for WebAssembly by collaborating on new standards.

Such efforts could help reign in today’s Wild West of open source software and reshape how developers implement modular code.

Much of software development today focuses on modular applications. Roughly 80% of the average code base comes from package registries like npm, PyPI, and crates.io. By tapping into community resources, modular code helps developers build better products faster.

Development speed and open source code, however, open the door to complex security issues.

Malicious code is a serious threat, with open source packages giving bad actors discreet entry points into popular software. Unsurprisingly, the number of malicious modules published to npm more than doubled from 2017 to 2019.

Vulnerabilities are a problem, too. Only 59% of packages have known fixes for disclosed vulnerabilities. Many maintainers don’t have the time or the security know-how to fix them. The result is that nearly 40% of npm modules depend on code with at least one publicly known vulnerability.

Existing band-aids—scanners, monitoring, code reviews, and containers—are slow, manual, resource-intensive, or prone to overlooking issues.

The Bytecode Alliance is working on ways to avoid such package mayhem in the fledgling WebAssembly ecosystem by implementing more rigorous standards. WebAssembly runtimes, code generators, and language tooling are carefully designed make the ecosystem more secure by default. New standards, like nanoprocesses, wrap modules or groups of modules to regulate how data is exchanged between them, limiting module access to critical system functions.

Ultimately, the Bytecode Alliance hopes to minimize the tradeoff between developer productivity and security. The goal is to support today’s open source modularity, but with better guardrails.

Just as JavaScript spread across the software development world, from browsers to desktops to servers, WebAssembly could be on a similar path. A better approach from the start could save developers time and energy farther down the road.

If the group succeeds, its methods will be a massive lesson for all of software development in how to grapple with the growing popularity and importance of open source software.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.