How to stay safe when inheriting third-party code

So you downloaded a code library to help you! Awesome. Now what? 

All software has vulnerabilities, and when you use a downloaded code library, what you’re getting is code you can't maintain. But fear not, here’s a practical guide to choosing good libraries and taking care of them once they’re yours.

In this blog post, we'll explore actionable steps for choosing secure libraries and offer tips on how to take care of them once they become part of your system.


Five steps to choosing the right library or dependency

As software developers, we rely on libraries and dependencies to build robust and efficient applications. But integrating third-party code into our projects introduces potential security risks. 

That’s why it's crucial to make informed decisions when selecting libraries and to actively maintain them throughout the development lifecycle. 

Let’s go through the five steps that will help you do that.

Step 1: Assess library reliability and popularity

When considering a new library or dependency, it's essential to evaluate its reliability and popularity within the developer community. Look for libraries with active maintenance, regular updates, and a strong user base. Popular libraries tend to have more eyes on them, which leads to faster issue resolution, enhanced security measures, and better community support.

Step 2: Examine the security track record

Investigate the library's security track record by reviewing its history of vulnerabilities, bug reports, and fixes. Check for any reported incidents and how promptly the library maintainers addressed them. A library with a consistent track record of addressing security concerns indicates a proactive and reliable development team.

Step 3: Review documentation and community support

Thoroughly examine the library's documentation and assess its clarity, comprehensiveness, and active maintenance. Good documentation is essential for understanding how to use the library securely and efficiently. Additionally, explore the library's community support channels, such as forums or chat groups, to gauge the responsiveness of the community and the developers behind the project.

Step 4: Analyze code quality and auditing practices

Would you allow a PR to merge with your project without reviewing the code first? Of course, you wouldn’t — you’re way smarter than that! And third-party code should be no different.

Take a closer look at the library's code quality and auditing practices. Assess the library's source code by examining factors such as code complexity, adherence to best practices, and proper error handling. Also, check if the library has undergone security audits or code reviews conducted by independent experts. Publicly available audit reports add an extra layer of trust and confidence in the library's security.

Step 5: Consider compatibility and dependencies

Remember, third-party components often come with a list of transitive dependencies and additional code.

Evaluate how well the library integrates with your existing codebase. Check its compatibility with your development stack, programming language, and other dependencies. Assess the library's dependency tree, ensuring that its dependencies are secure and actively maintained. A chain is only as strong as its weakest link, so prioritize libraries with minimal and trusted dependencies.

So what happens once you’ve picked the library? 

Like most cool things (say, adopting a puppy), we have to accept new obligations with our new technology — and one of those obligations is to make sure that our newly inherited code remains safe and suitable for use.

Taking care of your libraries and dependencies

Step 1. Keep a clean code base and regularly update your libraries 

I know, there are many reasons why we all have an old version of something or other somewhere in our stacks. But we need to do better.

Stay vigilant and keep your libraries up to date. Follow the library maintainers' announcements, security bulletins, and release notes to ensure you're aware of any security patches or bug fixes. Use dependency management tools that facilitate automatic updates or regularly check for new versions.

Step 2. Stay informed: you can’t respond if you don’t know something happened 

Subscribe to relevant security mailing lists, vulnerability databases, or security notification services to receive timely alerts about potential security issues related to your libraries. Be proactive and act promptly to address any reported vulnerabilities. Engage with the library's community by taking part in forums, discussion groups, or attending conferences. Stay on top of the latest developments, security practices, and emerging trends in the libraries you rely on.

Step 3. Look for changes over time by reviewing libraries on a regular basis

As time passes, more vulnerabilities are discovered and our scanning and audit tools improve. This makes it really important that we do periodic reviews, particularly of code that’s no longer being actively developed. Use static code analysis tools or consider involving external security experts to find any vulnerabilities or misconfigurations.

Step 4. Nothing lasts forever, so have a retirement plan 

Periodically review your libraries and dependencies to identify outdated, deprecated, or unmaintained ones. Plan for their replacement or removal to minimize security risks associated with unsupported code.

Like it or loathe it, we all use third-party libraries and components and their risks often become ours to manage. Having a process for choosing the right, secure libraries and dependencies doesn’t take much time and can save you a lot of pain through the course of your system’s life.


Previous
Previous

Sprint #1: Start where you are

Next
Next

What is SBOM and why should we care?