0

I'm reading Architecture of Open Source Applications. From chapter about Audacity:

However, we do not want Audacity to provide a route to bypass a firewall, so we have a rule not to have TCP/IP connections to or from Audacity at all. Avoiding TCP/IP cuts out many security concerns.

Could you pls explain me (as to security newcomer with details) the next things:

  1. What does they mean by the last sentence? Do "security conterns" with TCP/IP related ONLY to firewall bypass route?

  2. How firewalls work with IP/TCP and why you do need bypass route only for TCP/IP?

Improve this question
1
  • Your second question is more of a basic networking question, it looks like.
    – schroeder
    Commented Sep 23, 2016 at 12:44

2 Answers 2

Reset to default
2

Right before the statement you quoted, the author writes:

Architecture is also shaped by considerations of how best to use our scarce developer time. With a small team of developers, we do not have the resources to do, for example, the in-depth analysis of security loopholes that teams working on Firefox and Thunderbird do.

This is key to understanding what they mean here. Audacity doesn't provide a "route to bypass a firewall", but as a small team they understand that they do not have the man-power or resources to find all the issues in their software that might lead to an exploit that allows people to bypass firewalls.

So rather than putting their resources to work finding holes and bugs in their own software, they avoided the TCP/IP stack altogether, and because of that, avoided a whole slew of security issues that could stem from including TCP/IP.

As far as your second question is concerned, as @schroeder mentioned, that is more of a basic networking question that is not within the scope of this site.

Improve this answer
1

If a piece of software is able to connect to the network, it can speak to other computers and the internet. Being able to communicate with the internet is a potential security risk, since the software could fetch malicious code, or be used as a point of compromise via the network. It could also be used to attack other systems, or gain information about the network.

If you code software with network capabilities, care must be taken to implement it securely. If resources are limited that might not be a possibility. So it is a smart move to just not implement it.

Improve this answer
1
  • ow, I understood that sentence as they use some other protocol instead of TCP/IP. They didn't say about forbidding internet connection at all.
    – VB_
    Commented Sep 23, 2016 at 13:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .