Phone icon +45 45 34 44 00
Book meeting

Documentation

9. Libraries and SDKs

Do you use libraries, SDKs, or other software components developed by third parties? Here are some tips on how to integrate these tools while maintaining control over your developments.

Make a Well-Considered Choice

  • Assess the value of each dependency. Some commonly used software components consist of only a few lines of code. But each additional dependency increases your system’s attack surface. If a single library offers multiple features, only integrate the ones you actually need. By activating a minimum of features, you reduce the risk of potential security flaws.

  • Choose maintained software, libraries, and SDKs:

    • If you want to use free or open source software, choose projects or solutions with an active user group, regular updates, and good documentation.

    • If you use other solutions with commercial support, make sure maintenance and updates are contractually guaranteed for the entire lifetime of your project.

  • Consider privacy protection. Some SDKs or libraries finance themselves by collecting personal data from the applications or websites they are integrated into. Make sure such third parties comply with applicable personal data legislation, including a mechanism for user consent.

  • If you use cryptographic mechanisms, it is strongly discouraged to implement your own cryptographic algorithms or protocols. Instead, choose reputable, maintained, and well-documented cryptographic libraries.

Evaluate the Chosen Elements

  • Read the documentation and change default configurations. It is important to understand how your dependencies work. Third-party libraries and SDKs are often delivered with default settings that are rarely changed, which can result in security holes.

  • Audit your libraries and SDKs. Do you really know what all your dependencies do? What data is sent through these dependencies, and to whom? An audit can help you identify the necessary data protection measures and establish the distribution of responsibilities.

  • Map your dependencies. Third-party libraries and SDKs can also include other components. A review of their code can help you better map all dependencies and act quickly if one of them has a vulnerability. It is also recommended to conduct security audits of your third-party components and monitor them.

  • Be aware of typosquatting and other malicious techniques. Check the names of your dependencies and their underlying dependencies to avoid attacks. Do not copy commands from unknown sources without verifying them.

Maintain Libraries and SDKs

  • Use dependency management systems (such as yum, apt, maven, pip, etc.) to keep track of your dependencies.

  • Manage updates of your dependencies, especially security updates that close known vulnerabilities. You should establish a documented procedure to implement and deploy updates as quickly as possible.

  • Be aware of libraries and SDKs reaching end-of-life support, as they will no longer be maintained. Find an alternative solution in good time (new library or renewal of commercial support).

  • Monitor the status of open source projects, especially changes to domains or ownership of packages, as some attacks exploit malicious updates of popular dependencies.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us