No, you cannot trust third party code without reading it first

Published on 2022-08-11. Modified on 2022-11-03.

A lot of bad practice has permeated the software development industry, one such practice is to blindly trust code when using third party libraries, frameworks or packages. The reasons why this is taking place is because people want to build stuff quickly in order to save as much money as possible, and they don't want to spend time on security or even performance. But alas, now such companies are beginning to pay the price, a very costly and highly damaging price.

As a software developer, whether self taught or schooled with some kind of degree, you have to study the right and proper ways of your craft. Just like a bricklayer needs to know how to align the bricks correctly so they become level, so does a software developer needs to know security and best practice (I am not talking about theory from hyped up books).

Yet, for some reason the software industry has become completely overtaken by an almost hysteric and pathetic blind following of hype and trends in which nothing but rapid development and rapid deployment matters.

Well, that is simply not going to work any longer!

When you include third party code in your product, whether it's your own personal product, or a project you work on as a freelancer for a client, or it's a company that has hired you, you need to read the code you include, even if it is a well known third party popular package!

At the same time you have to explain to your client or your boss the importance of doing this. No matter how important it is for the client or the company to get working code delivered fast, you have to teach them that this practice just doesn't work, and that they have misunderstood something, because THIS IS NOT HOW REAL SOFTWARE IS MADE!

Supply-chain attacks are becoming an almost daily problem, especially among open source software repositories, and nobody is reading the code they include, particularly not when they use package managers like Cargo, Composer, npm or pip.

It doesn't matter whether you use such tools, or whether you manually download third party code online using GitHub or something else, you must read the code just like if you wrote it yourself. You need to make sure that every line of code that goes into your project is safe. And you need to diff the code when it changes.

Of course you cannot do that with everything, you cannot read all the source code for the kernel of the operating system you're running, you cannot read all the code that makes up the compiler or interpreter you're using, but that is not the point at all, some level of trust is always required.

However, you MUST do it when you're dealing with code you are importing! This is when it becomes your responsibility.

If everyone does that, it follows through all the way down the supply-line, to the compiler, the interpreter, the operating system and the kernel, etc. And that is how we protect our code and each other, by making sure that the code doesn't contain anything it shouldn't.

This is actually a very basic responsibility of the software developer.

Just recently a supply-chain attack by Russian hackers through the SolarWinds business software wreaked complete havoc. They managed to infect more than 100 companies, at least nine US federal agencies, including the National Nuclear Security Administration, the Internal Revenue Service, the State Department, and the Department of Homeland Security.

See Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack for a more recent example.

Contrary to normal proceedings when dealing with a legal matter, in which a person is considered innocent until proven guilty, when you're dealing with software development, you need to consider the software malicious until proven safe!

Yes, this is a drain on resources and time without any "immediate payoff", but that's how it needs to be. There must never be a "quick fix" in software development when the software is important or critical. If you cannot afford to do that, then you shouldn't be doing it at all.

Just like you can't fly a rocket into space without a ton of safety measurements, you cannot develop important software without a ton of safety measurements. It's nothing new, it has just been abandoned, ignored, and frowned upon by greedy people.