Architecture Nugget - Feb 6, 2025

cURL and Go say goodbye to CVSS—security is about understanding, not just scoring.

Author

Liam Manesh
February 06, 2025

In partnership with

Hey there, Software Enthusiasts!

Welcome to this week’s Architecture Nugget — your go-to dose of awesome posts, books, and videos to sharpen your software architecture skills. I’ve got some nuggets lined up for you this time, from effortless backend magic to security debates and a JWKS. Happy reading and happy building! 🚀

Nitric is a multi-language framework for building cloud applications with infrastructure as code. This means you don't need to write Terraform scripts or use the AWS console to set up and configure your resources. Instead, the framework automatically provisions and manages cloud resources based on the components you use.

I haven't tried it yet, but it seems like a great fit for building an MVP over a weekend, as it removes much of the hassle.

Writer RAG tool: build production-ready RAG apps in minutes

  • Writer RAG Tool: build production-ready RAG apps in minutes with simple API calls.

  • Knowledge Graph integration for intelligent data retrieval and AI-powered interactions.

  • Streamlined full-stack platform eliminates complex setups for scalable, accurate AI workflows.

You’re probably familiar with JWTs. If not, here’s a quick recap, followed by an introduction to JWKS, which is the reason I am sharing this nugget.

Before JWTs, authentication relied on traditional session-based methods, where each request had to be authenticated with the server. JWTs, introduced in the 2015, offered a stateless, self-contained solution for authentication. It consists of three parts: header, payload, and signature.

  • Header: Defines the signing algorithm.

  • Payload: Holds claims (like user data, issuing server, and expiry).

  • Signature: A hash of the header and payload, signed with a secret key to prove authenticity.

Example:

  • Header: { "alg": "HS256", "typ": "JWT" }

  • Payload: { "exp": 1738712108, "user_id": "liam", "email": "[email protected]" }

  • Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

But what about verifying JWTs in distributed systems using asymmetric algorithms (like RS256)? Enter JWKS (JSON Web Key Set).

JWKS is a standardised format for sharing public keys. It’s usually available at a well-known endpoint (/.well-known/jwks.json) provided by the authentication server. Instead of hardcoding keys or distributing them manually, your services can fetch and use the keys dynamically from this endpoint to verify JWT signatures securely.

For instance these JWKS: AppleID JWKS, Azure JWKS and GoogleAPIs JWKS

JWKS simplifies key management, supports rotation, and makes your architecture more scalable and secure.

If you want to read more about it, here are a few references:

Deep Dive

If you've dealt with security scanners, you've probably seen them freak out about a vulnerability in one of your dependencies that's hard (or impossible) to fix. Some companies even have policies like, "This better stop screaming in X hours/days or 🤐."

But how do scanners decide what to freak out about? That's where CVE and CVSS come in.

CVE (Common Vulnerabilities and Exposures) is a system for tracking and identifying security bugs, each with a unique ID.
CVSS (Common Vulnerability Scoring System) rates the severity of those bugs from 0 to 10, calculated by ticking checkboxes on an online form. It’s supposed to help prioritise which flaws to fix first.

But cURL and the Go security team are done with it. Daniel, cURL’s author, recently published a blog post titled CVSS Is Dead to Us explaining why it doesn’t work.

Here’s the gist:

  • No Context, Bad Decisions: CVSS treats all vulnerabilities the same without considering how they're actually used.

  • Scanner Chaos: Tools flag high CVSS scores, even if they’re harmless, leading people to delete important components just to silence alerts.

  • Rushed, Random Scores: When CVEs lack a score, third parties like CISA slap one on without much context, often getting it wrong.

  • Scores Don’t Make Sense: CISA gave a cURL flaw a 9.1 critical rating — but the cURL team said it was low severity.

Now, instead of CVSS, cURL uses a simpler system: low, medium, high, and critical. Go has done the same, leaning into context-driven assessments.

How did you like this edition?

Or just hit reply and share your thoughts with me! Nothing beats making new friends :)

Login or Subscribe to participate in polls.

Reply

or to participate.