Frequently, software components by third parties are used to implement functionalities within applications. When using program libraries, plug-ins and add-ons from other vendors or open source projects, they should be tested for their robustness and security, as well as the applicable licensing regulations.
10.1 What are the threats facing us and our customers?
|New Attack Vectors by External Modules
Modules from external vendors may contain technical weak points, which may lead to the creation of new attack vectors if integrated into our products. Even if our own developments do not contain weak points, unsafe modules can lead to a compromise of systems and thus represent a danger to customer data.
If external devices pose a threat to our users, this can also lead to damage to reputation for the customer. So the origin of malicious code is not directly traceable for many users and can easily be linked to customer applications. We should therefore take all possible safeguards and also check any foreign modules before using them and only use those from trusted sources
Just as important as the robustness and safety of third-party modules is compliance with the applicable licensing regulations:
· Can we use the module?
· What are the consequences and obligations for us from the use?
10.2 What should we consider during development?
|Check Trustworthiness and Robustness
Before using third-party modules, the trustworthiness of the source as well as the robustness and security of the libraries should be checked. First indications are often forums or mailing lists, in which bugs or errors are reported:
· Have there been a lof of bug reports in the past?
· Are there known security vulnerabilities?
· How was bug reporting and security handled?
· Are patches and updates regularly provided?
· Is the module still further developed or the release of the last version has long been back?
|Check License Terms
The applicable licensing regulations must be checked before using third-party modules. Also in the case of version changes (for example, after updating a third-party module), it should be checked whether any changes to the license do not cause any negative implications.
|Version Control and Inclusion in Patch Management
When using third-party modules, the latest stable releases should be used. In addition, the modules should be included in the patch management, so that a check is regularly run for new versions.
10.3 Further Information
|Overview of terms of common licenses for free software:
http://choosealicense.com/licenses/Search engine for software licenses (summary of main conditions):
https://tldrlegal.com/Database for published security vulnerabilities according to the CVE standard:
http://www.cvedetails.com/Example of how dependencies can be checked on known security vulnerabilities: