Shortly after the earth cooled and life began, Sir Tim Berners-Lee invented the World Wide Web. This was approximately the year 1990. He also built the first browser, confusingly and yet inspirationally called WorldWideWeb.
Since then things have evolved. The browser, which began as a simple visual interpretation of a markup language used to create a textual representation of visual elements, is now a dangerously functional runtime environment more comparable to our host operating systems (e.g., Linux, Windows, MacOS) than you might expect. Developers may compare the browser to the Java virtual machine (JVM) or the common language runtime (CLR) upon which many newer desktop applications run.
In the ’90s the browser world was very different. There was no Chrome (there was no Google for most of it), or Firefox, or Safari. Early browsers like Lynx and NCSA Mosaic gave way to more commercially developed works like Netscape Navigator.
Fast-forward to 2004, when DOM Level 3 was published. Software security guru Gary McGraw released his seminal book Software Security shortly afterward, in 2006. Web pages and websites were now being called web applications, and things were changing fast—faster than we realised.
The language can rewrite everything on the page. It has total control and was responsible for turning largely form-based interactions into…well, Facebook—a web application with dynamic content, real-time updates, and interactivity between users.
Let’s examine modern browser power
Consider the change in application development from desktop to web-based. There are key differences in the trust model between the two contexts. In the legacy model, where we downloaded and ran applications, we trusted the organisations that created those applications (e.g., Microsoft), and therefore the products themselves. Additionally, there was no shortage of virus-checking software solutions, like McAfee and Comodo, ready to jump on anything that looked off.
Through the trust model, we’ve been taught to trust something we’ve already used successfully. But what we need to acknowledge now is that each time we return to something like Facebook or Netflix, it’s highly unlikely we’re running the same application in our browser. Take Netflix as a highly advanced example of how development really works today. They are the benchmark for continuous integration and deployment, boasting an approximate 16 minutes between a developer changing the code and it being deployed globally.
We are heavily reliant on developers making changes we can trust in real time. In the case of major players like Facebook and Netflix, security is paramount. Secure development culture, tools, and processes are all part of the environment. But that isn’t necessarily the same for every organisation, particularly smaller companies without the expertise or knowledge to know what they are missing.
Yet the attack surface is continually changing and growing.
Steve Giguere, lead sales engineer, Synopsys
Image Credit: 377053 / Pixabay