Application security, Cloud Security, DevSecOps, Security Strategy, Plan, Budget

Can the Bytecode Alliance secure the supply chain with WebAssembly?

Mozilla Chairwoman Mitchell Baker speaks at Massachusetts Institute of Technology on May 16, 2018 in Cambridge, Massachusetts. (Photo by Paul Marotta/Getty Images for MIT Solve)

The Bytecode Alliance on Wednesday announced that it formed a non-profit organization to focus on promoting WebAssembly (WASM) and the WebAssembly System Interface (WASI) as emerging standards that can fix some of the inherent weaknesses in the way software gets developed.

Leading the charge are well-known names such as Intel, Mozilla, Microsoft, and Fastly, which encourage like-minded companies to join the alliance.

Founded in 2019, the alliance has brought attention to the inherent weaknesses in predominant models for building software, which rely heavily on composing up to thousands of third-party modules (many of them open source) without security boundaries between them.

Bytecode Alliance members say these weaknesses in the software supply chain have led to breaches in government systems, critical infrastructure services, and a large number of companies, as well as in stealing personal information of hundreds of millions, perhaps even billions of people.

“Microsoft is excited to join the Bytecode Alliance as an incorporating member to support the effort to build a more open, scalable, secure web,” said Ralph Squillace, principal program manager, Azure Core Upstream at Microsoft. “WebAssembly and the emerging WASI specification enable cloud-native solutions to become more secure by default.”

WebAssembly has increased in popularity as it aims to eliminate some of the long-known drawbacks and limitations of leveraging JavaScript in web applications, said Kevin Dunne, president of Pathlock. Dunne said while WebAssembly closes many of the loopholes and vulnerabilities we've come to know, it opens several others, many of which we are just finding out about. 

“There are several exploits emerging that use WebAssembly to present spoofed information collection forms within otherwise normal looking sites to collect personal data and credentials for misuse,” Dunne said. “While WebAssembly solves some problems inherent to JavaScript, it’s still too early to tell if it will work to reduce the overall risk exposure for developers and users of web applications."

Sounil Yu, chief information security officer at JupiterOne, said WASM and WASI offer a great foundation to drive the next generation of secure web applications.

“We are even seeing interesting security use cases for browser isolation using WASM, such as Cloudflare's Zero Trust browsing, to improve the user experience of a virtualized secure browser environment,” Yu said. “However, WASM presents opportunities for attackers to conceal malware (such as cryptominers) running inside the browser. Security teams lack the forensic tools to find and collect evidence associated with the execution of WASM binaries within the browser. This is an area that needs further investment and attention as WASM becomes more popular among developers and attackers."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds