loading...
Cover image for 3rd party libraries, are they a risk?

3rd party libraries, are they a risk?

nombrekeff profile image Manolo Edge ・1 min read

I've always heard that using 3rd party libraries is a risk for the security of an enterprise application.

Third party libraries represent one of biggest, and possibly most overlooked, threats to enterprise security. That’s because open source components are regularly used by enterprise application developers to speed development and avoid “re-inventing the wheel”. Third party code makes up between 30 percent and 90% of typical applications...

Quote from Third Party Libraries: the Swiss Cheese of App Security

I've always wondered if this is also the case for web development, as a lot of 3rd party dependencies are used all over the place.

And stuff like what happened with eslint-scope...

What do you think? Should we be considering more what libraries and 3rd party software we use?

Posted on by:

nombrekeff profile

Manolo Edge

@nombrekeff

I don't know... I just code and they pay me!

Discussion

pic
Editor guide
 

On the one hand, yes external libraries are a risk vector, especially when they themselves are built on top of many other libraries, and so on...

On the other hand, widely used and well-trusted libraries will often have security-conscious people around to report and fix issues, and larger projects may even have rapid response teams specifically to handle security issues. CVE Advisories are published about vulnerabilities too, which helps organizations figure out how to respond when some security risk is discovered.

(And related to the CVE reports, some code hosts (like Github) will automatically alert you when there is a dependency for your project w. a reported vulnerability, and even automatically prepare a pull request with a commit that bumps the version number for a dependency that was fixed)

The same may-or-may not be true for an internal codebase. The safety of that code would depend on the strength of the internal teams supporting it, and so in practice it seems like any organization that is capable of being smart about their own internal decisions would also be smart about auditing any potential dependencies their projects rely on.

It is definitely important to be thinking about these issues, and then carefully considering risk/reward tradeoffs rather than just assuming one way or another. So this is a great question to ask!

 

some code hosts (like Github) will automatically alert you when there is a dependency for your project w. a reported vulnerability

This is a great feature, I've used it in a couple of libraries I created and maintain, really helpful.

It is definitely important to be thinking about these issues, and then carefully considering risk/reward tradeoffs rather than just assuming one way or another.

Totally agree, this is something I often tell my friends and colleagues, not just about the security of the dependency, but also about the limitations that library might have in the future, and what I call "using a chainsaw to cut a twig" syndrome.

 

I thought the same; therefore, copy-paste the raw code might be better if the library is small enough.

However, for larger code, people might be doing tests and security for you, as long as you keep up-to-date. Don't forget that the programming language itself is also another big piece of code.