[turtlebits]

This article is a bit hyprocritical. The example is an image sharing tool, but you don't resize images at all.

So your server binary is tiny, but you're serving full size unoptimized images and wasting bandwidth for every single user that visits the site, as well as the uploader. Even thumbnails are served full size.

In this case you're optimizing for the wrong thing.

[torstenvl]

> > In this post I briefly go over the terrible state of software security, and then spend some time on why it is so bad.... The security of software depends on two factors - the density of security issues in the source code, and the sheer amount of exposed code.... It is not just the amount of code that is worrying. It is also the quality, or put another way, the density of bugs.

> This article is a bit hyprocritical. The example is an image sharing tool, but you don't resize images at all.

Can you explain how serving full-sized images opens up additional security vulnerabilities?

I don't see the connection between your argument about bandwidth and the OP's argument about attack surface.

[turtlebits]

The author spends a lot of time on how large software has gotten, even going as far as comparing the size of their image sharing tool to another.

More lines of code don't necessarily correlate to less secure - in fact, the author's tool makes a big security mistake, it doesn't strip EXIF.

[torstenvl]

Not stripping EXIF metadata is not a security vulnerability.

The only EXIF-related CVE I can find is in fact the opposite. https://nvd.nist.gov/vuln/detail/cve-2021-22204

[lolinder]

Attack surface is about all the ways in which your software might be used to harm you or your customers. It's more than just remote code execution or DOS attacks.

For many use cases stripping EXIF is a hard requirement for user privacy and security, and it's reasonable for OP to point out that cutting that out to cut lines of code would be inappropriate in many situations.

[torstenvl]

Privacy is not the same as security. They are related, but distinct.

Show me the CVE that would provide any weight to the inflammatory and egregious claim that OP is a hypocrite.

[RamblingCTO]

Take a breather, nobody called OP a hypocrite.

> This article is a bit hyprocritical

Privacy in that sense is security. Never heard of OSINT? EXIF tags are of course security relevant.

/e: to make it more obvious: if I know your neighbourhood I can just blackmail you, I don't even have to hack you. I can gather information by maybe finding out your identity, getting insight into security questions and how you might answer them. I can find newspaper articles you were maybe part of etc. etc.

[lolinder]

CVEs are not the be-all-end-all of information security. CVEs are usually assigned to software that is distributed, not to web-based SaaS products, social media services, or similar, which are all the places where EXIF data leaks come into play.

For example, there was no CVE issued for the security flaw that leaked private information of 530 million Facebook users before 2019 [0], but that was obviously a significant security flaw.

Edit: Also, regarding "privacy is not the same as security"—the line is a lot fuzzier than you think. At my org the same team ("infosec") is responsible both for the security of our products and the enforcement of rules regarding PII, because they're tightly interrelated—the main concern with security incidents is that we might lose PII. There's a reason why one of the 7 data protection principles in the GDPR is security [1]—without it there is no privacy.

[0] https://www.npr.org/2021/04/09/986005820/after-data-breach-e...

[1] https://gdpr.eu/what-is-gdpr/?cn-reloaded=1

[palata]

> it doesn't strip EXIF.

Which is not a security issue per se, is it? If the goal of the project is to self-host it and share it with family, then keeping the EXIF may be a feature.

[geraldhh]

> More lines of code don't necessarily correlate to less secure

but usually it does

[Ferret7446]

It opens up the security vulnerability of your software not meeting requirements and thus users deciding instead to use other software, workarounds, and hacks.

[mixmastamyk]

Middlebrow dismissal. Author has an experimental sandbox for running imaging operations but hasn’t integrated it yet. Aka not 100% finished. Details at the site/github.