Manage Learn to apply best practices and optimize your operations.

Should third-party software tools be used to customize applications?

Many features and functions required for today's network-ready applications can be purchased at a fraction of the cost that it would take to build them independently. But are they safe enough? Application security expert Michael Cobb explains.

I am an independent IT consultant/software developer, mostly providing application customization for clients, and I am very concerned about potential security issues for the products and services I want to provide. I am interested in expanding my business and accelerating my development time by using some third-party software, add-ins and other various components. What are the most important security best practices that can ensure that my third-party development tools do not expose myself or any of my clients to spyware or viruses.
When it comes to software development, I am a great believer in not reinventing the wheel. There is no point in spending weeks developing a feature if it is available on your chosen development platform as an add-in component. Many features and functions required for today's network-ready applications can be purchased at a fraction of the cost that it would take to build them independently. Many come with extensive support, and provide examples of how to integrate and use the various functions they provide.

But as you point out, how do you know that the components, particularly those downloaded from the Internet, do not contain malicious code that could destroy the integrity of your application? Many popular packages, such as Sendmail and OpenSSH, have been infected with malicious Trojans, and software distributions sites at the Free Software Foundation and SourceForge, for example, have also been successfully compromised in the past.

Firstly, I would be very cautious about using a component for which the source code was not available. Without the source code, you can never be sure of how the component works and what it does and doesn't do. If the source code can't be purchased as part of the component package, which can be the case with more complex components made by more established companies, I would strongly favor those that have been digitally signed. Software digital signatures show which publisher has provided the software package. They also verify that the package has not been tampered with since it was signed.

Code signing does not necessarily guarantee the quality or functionality of the software. Because software vendors' reputations are based on the quality of their code, however, there is an incentive for them to fix any problems. Before installing third-party packages, always check for a vendor's known vulnerabilities and then keep up with any patches and advisories. This will mean subscribing to its mailing list so that you are notified about any problems or issues. Also consider how to update and maintain your own product if one of its components needs urgent patching.

Many software products provide interfaces that enable third-party developers like you to integrate their software. Some vendors of such products, such as German software giant SAP, have set up integration certification programs to ensure the quality of products that interact with their own. If you are looking to develop such a product, I would recommend that you consider joining the relevant program. The program will provide a reference point for the integrity of your own work.

More information:

  • Use threat modeling to improve Web application security.
  • Should fuzzing be a part of the secure software development process? Michael Cobb explains.
  • This was last published in July 2007

    Dig Deeper on Secure software development