No, you cannot trust third party code without reading it first
Published on 2022-08-11. Modified on 2022-11-03.
For more than a decade I have been thundering against a lot of the bad practices that have permeated the software development industry, one such practice is to blindly trust code when using third party libraries, frameworks or packages. For about the same amount of time I have listened to all the reasons why time is money and we need to build something quickly, and we haven't got the time to do security or X, Y and Z. But alas, now such companies are beginning to pay the price, a very costly and extremely damaging price!
As a software developer, whether self taught or schooled with some kind of degree, you have to study the right and proper ways of your craft. Just like a bricklayer needs to know how to align the bricks correctly so they become level, so does a software developer needs to know security and best practice (I am not talking about theory from hyped up books).
Yet, for some reason the software industry has become completely overtaken by an almost hysteric and pathetic blindly following of the latest hype and trends, just like a fashion industry, that even when everything is evidently running very bad, slowly turning into a disaster, they just stick their fingers in their ears and make loud la-la noises in order to keep going.
Well.. You simply cannot do that anymore!
When you include third party code in your product, whether it's your own personal product, or a project you work on as a freelancer for a client, or it's a company that has hired you, you need to read the code you include, even if it is a well known third party popular package! And you have to teach your client or boss the importance of this and not let pressure get to you. No matter how important it is for the client or the company to get working code delivered fast, you have to teach them that this practice just doesn't work, and that they have misunderstood something, because this is not how real software is made!
It doesn't matter whether you use such tools, or whether you manually download third party code online using GitHub or something else, you need to ALWAYS read the code just like if you wrote it yourself. You need to make sure that every line of code that goes into your project is safe.
Of course you cannot do that with everything, you cannot read all the source code for the kernel of the operating system you're running, you cannot read all the code that makes up the compiler or interpreter you're using, but that is not the point at all, of course some level of trust is always required. The point is that you need to do it when you're dealing with code you are writing and importing! That's when you need to do it. That's when it becomes your responsibility. When everyone does that, their responsibility, it follows through all the way down the supply-line, to the compiler, the interpreter, the operating system and the kernel, etc.
That is the very basic responsibility of the software developer!
Just recently a supply-chain attack by Russian hackers through the SolarWinds business software wreaked complete havoc. They managed to infect more than 100 companies, at least nine US federal agencies, including the National Nuclear Security Administration, the Internal Revenue Service, the State Department, and the Department of Homeland Security.
Update 2022-11-03: See Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack as a new recent example.
Contrary to normal proceedings when dealing with a legal matter, in which a person is considered innocent until proven guilty, when you're dealing with software development, you need to consider the software malicious until proven safe.
Yes, this is a drain on resources and time without any "immediate payoff", but that's how it needs to be, that's how it has always needed to be. You're in software development, deal with it, or find something else to do. Just like you can't fly a rocket into space without a ton of safety measurements, you cannot develop software without a ton of safety measurements. It's nothing new, it has just been abandoned, ignored, and frowned upon by greedy people and people who get hypnotized by shinny hype.