by Dr. Robert Buccigrossi, TCG CTO
Recently, there has been a pattern forming in my journal reading:
- How did web development become so bizarrely complex? – Discussions on the explosion of framework, team personnel, and technologies for a “simple” website
- Web apps are too complex. This is how we can simplify them. – An article describing how single-page apps are actually two deeply couple applications
- NPM Audit: broken by design? – When you create a brand new NPM React app, it *already* has 5 vulnerabilities identified by the npm security audit!
- Software Complexity is Killing Us – “Our obsession with flexibility, composability, and cleverness is causing us a lot of pain and pushing companies away from the platforms and tools that we love.”
In short: Web application technology stacks have exploded in complexity and dependencies leading to nightmares in both operations and security management.
Using a default react app “npx create-react-app” pulls in a number of default npm libraries (and 5 “npm audit”-reported vulnerabilities). Similarly “ng new” has 39–47 vulnerabilities out of the box. Looking at vue’s dependencies I temporarily thought that it had no dependencies, but it has many: it just uses webpack to build in devDependencies into its production pack. Even if you forsake single page applications you can still find yourself with a massive pyramid of dependencies encouraged by well-meaning package utilities: Python has pip, PHP has composer, .NET has NuGet.
The reaction to network security vulnerabilities has been the rise of the “zero trust” network. Imagine a similar world for software architecture – a world in which you deliberately aim for no additional external dependencies other than your hand-picked core components. Of course, we still depend upon the operating system, our web server, and our database, but I’m compelled to ask: Have plain vanilla JS, HTML, and CSS advanced enough that “zero dependency” microframeworks are feasible? Could we dare dream of a world where “end of support” or dependency audit scan reports become a relic of the past? Could we dream of code in which our teams completely understand how it works from end-to-end and true DevSecOps can be achieved?
And if achieved, with superior security and resilience, could a “zero dependency” tech stack be a differentiator?