M.16) Use external source code

Category:        Development, throughout the development lifecycle

Responsible:   PSR

Effort:              low

Based on:       Recommendation of the author (Finding during Rentog implementation)

In web development it is state of the art to build new projects upon proven and well tested frameworks. It is also common to include extern source code in form of libraries and packages into the own source code. Including external code can be good, because if a package is already used by thousands of people over many years it can be considered well tested, highly performant and probably more secure than the own code.

Therefore it is recommended to use such kind of (trusted) libraries. Especially authentication, authorization and crypto libraries should be considered, because they have been created by experts (this has to be checked by the PSR) and have been used and tested thousands of times. The configuration of these libraries is very important and should be done by the PSR, since he/she is the person with information security knowledge.

Remark

On the other hand external code is also a risk. For hackers it’s more lucrative to find exploits in code which is used very often, because then they can attack many different kinds of services with a single exploit. Also if untrusted external software packages are included there is a risk of implementing malicious code into the product.

Because of these issues it is necessary that the PSR checks each external library for trust and known vulnerabilities. Like described in M.13 it is possible to automate the monitoring of third party libraries. In case of a new threat the PSR will get an email and can react to such threats.

 

 

Disclaimer

The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.