Is Fragmentation of Standards Opening Us Up for Further Exploits?

I was perusing through the latest Java news today when I stumbled across an article talking about how Oracle is changing their update / critical patch versioning number scheme to address confusion experienced by industry experts and from within the company itself. Of course the problem is that this change created even more confusion. It got me thinking about how the tech world today seems to be experiencing more and more confusion as hardware vendors, software makers, programmers, designers and companies in general all start doing their own thing. Everyone seems to be creating their own standard even if it is only slightly different than someone else’s standard when perhaps they should be working together. These differences in standards form a sort of gray area where I think we see many exploits and vulnerabilities occurring.

Problems Arise From the Gray Area

Let’s assume that a child is told by their mom that if it is raining outside, it is ok to play inside the house. Later the child is told by their dad that if they ever find a lighter or matches outside, to leave it alone and not play with it. Two very wise and solid set of rules I am sure. One day the kid wakes up to see that it is raining outside so they understand that will be playing inside but as they do, then stumble across a pack of matches. Being that they are not outside, the kid figures it is ok to play with them and of course burns the house down.

Now if the parents had gotten together and told one another the set of rules they might have had come up with a more solid all encompassing rule set governing what is acceptable parent rearing. That rule set may would have a greater chance at covering the idea of matches in the house. The child was doing what they were told but since the situation fell in the gray area between the two rules, it lead to a disaster.

Standards are a great way of communicating intention between parties and creating a set of rules that govern how things should work. When we don’t communicate with one another, using a standard, we tend to experience problems that fall through the cracks. The bigger the miscommunication between the two parties the larger the footprint for potential exploitation becomes.

Some Examples Where I think This is The Problem

Here are some current trends I am seeing that really could use better standardization to might make the world a better place. I think if the parties involved were to work together more effectively we would see global exploits drop dramatically. Of course these are just some of the many examples out there. Like I said, it seems everyone out there making it much worse.

1. Browser Support – Now I will admit that browser makers have been making great headway in this department over the last few years and they really should continue to not only work towards the specs of the W3C but perhaps look at making a universal rendering engine that all browsers will eventually use. I really thought Webkit was going to be that dream and was really disappointed to see Google break away from that, earlier this year, to go with “Blink”. Problems here lead to scripting attacks, rendering issues and plugin exploitation. A step back in the long run I think.
2. RSS / Atom – This may not seem like a big one, and it is not, but I see no real big difference on why one singular standard format could be created here to be used for the delivery of content. The problems seen in this are readers who simply suck up an atom feed think it is RSS and leads to tons of issues from non display to runtime errors.
3. JavaScript Frameworks – As one of the dangerous of frameworks I mentioned in a previous article when you have of a choice of like 20 different frameworks that all virtually do the same task (like chart creating) then perhaps there should be a rallying around some sort of singular framework that encompasses all the great pieces from each. This would not only increase performance but lead to better handling of an attack vector created by having multiple frameworks loaded without some standard in place. Standardization is part of why libraries like jQuery continue to see success because of all the sharing and support between different parties and its standard consistency. Problems seen from cracks here are XSS, conflicts leading to code exposure, client side hacks etc.
4. C++ Compilers – I know I will probably take some heat from this one, and yes I know the reason it so fragmented is because of its legacy past, but I think it is time that compiler makers start working together on a compiler that will compile the exact same code the exact same way on the exact same machine and stop introducing implementation specific features… yeah I am looking at you Microsoft. Problems here lead to program crashes and data corruption (file and memory) for the most part.
5. VB.NET and C# – This is always a hot topic, but ever since I started working exclusively in C# I found very little need to switch back to VB.NET for anything. Most of the code out there for VB.NET too was first created in C# and ported over. The fact that coders find that they need to port code between the two can lead to vulnerabilities if not careful enough. This isn’t to say that VB.NET is inferior, but that its redundancy “with a twist” may lead to confusion that may increase bugs. Again the problems experienced here typically are program crashes and corruption of data.

Programmers Are Forced to Be Mediators

I am sure many developers out there know what I am talking about. You have party A doing one thing and party B doing something else and some how you have to reconcile the differences and cover as much of that gray area as possible in your solution. You are the babysitter who has to come in and rip those matches away from the child in the house. You can only do so much and if party A and party B could only talk to one another and come up with a set of better rules, following them would be much easier. Following better rules void of vague, imprecise and ambiguity can create more secure solid integrated solutions.

I can see why some new programmers get confused as to which standards to refer to, rules to follow and how to merge two technologies which should be the same but are quite different. Experts continue to experience that too. I think that if we can just all get on the same page then the version 1.7.23 means the same thing to you, that new programmer who started a programming course yesterday and Oracle.

Have an opinion on this idea? Let us here about it! Write your comments below. Thanks for reading! 🙂