Is it safe to use third-party code when developing database applications?

Michael Cobb explains how you can safely use third-party code, such as DLLs, when developing database applications.

I'm learning how to program on my own. In the last nine months I taught myself VBA for Microsoft Access 2007, and I created some impressive database applications for my company. Now I'm interested in moving to Microsoft Visual Studio with interest in C# and VB.NET. I have a question about the multiple files that are usually found in boxed software applications. I know there are DLLs and other files that hold configuration information, but how are these files created? Are they something the programming environment creates somewhat automatically, or are they created manually during the design and coding process? Are there any security implications for the way these files are made?

When you're developing an application there are two sets of code that you need to ensure are secure - that is they

don't contain flaws of bugs that could be used to compromise the application or the data it handles - your code and code from third-parties. From your question it sounds like you are making good progress in learning how to develop software applications by my concern is whether are you coding securely, that is using security features correctly and writing code that can withstand attack. Although there are literally thousands of examples and tutorials on the Internet explaining how to add fancy features to an application, not so many cover how to ensure those fancy features don't make it vulnerable to attack.

I would strongly recommend that you take time to visit the OWASP (Open Web Application Security Project) Web site. Although their main focus is on Web-based applications there's a lot of security-related information relevant to any type of application. They also have an OWASP.NET project, which aims to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework. Another essential read is Microsoft's Secure Coding Guidelines.

A lot of the topics covered will seem rather daunting at first, but it's important that you get to grips with the security issues they cover. A good resource to introduce you to secure coding is Microsoft MSDN Security and the section on writing secure code. There are also various books by Michael Howard, a Microsoft software security expert, that you may be interested in, including "Writing Secure Code," "24 Deadly Sins of Software Security" and "The Security Development Lifecycle." Hopefully if you start to incorporate what you learn from these resources your next application will be robust and able to withstand attack.

Developers naturally want to create applications as quickly as possible. To speed up development, most developers use code that has been written by someone else, adapting it for their own purposes. This is fine as long as all this third-party code is understood and inspected and not merely pasted into the application. Another shortcut is to use libraries or modules written by other developers, such as a spell-checker or charting tool. These often are in the form of DLLs which you will need to distribute with your own application. And yes there are security implications in using such third-party add-ons.

How do you know that a third-party component doesn't contain malicious code or has been compromised by an attacker? You should certainly never download components for your application from untrusted sources and I would be reluctant to use any component where the source code wasn't available unless it was from a well-known vendor. If a program is compromised at the point of creation, there is no limit to the malicious actions that it can perform. This is why many firms in the finance industry, who increasingly build their software from reusable components or rely on third-party developers, are now scanning all such components for possible backdoors or malicious code.

Finally many of the DLLs that your program will need to have access to in order to run will be created or added by your complier automatically. A virus last year attacked the Delphi code compiler by infecting a component within the Delphi library. It then infected other programs during the compilation process, turning the compiled code into a virus delivery system. This shows why it's essential that you only use genuine licensed compilers and that you ensure your development environment is kept secure. The computer you use for developing your applications should be a single use machine and kept physically secure as well as being protected by AV and antimalware programs. Good luck with your next project.

For more information:

This was first published in March 2010

Dig deeper on Software Development Methodology



Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: