How to ensure project security when using packages from Composer?

A

Alexey Sumin2020-11-06 11:03:28

PHP

Alexey Sumin, 2020-11-06 11:03:28

We are all used to using composer in php projects, it is very convenient: I found the required library on github, added it to the project and the task is solved. But what about security if the project works with billing or personal data, because the plug-in library has full access to the project and can, for example, leak any internal data?
Checking packages manually is unrealistic, because each package refers to many others, and those to third ones, etc.
The advice "choose only proven and popular" does not work either, the right package will not always be popular.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

A

Andrey Gavrilov, 2020-11-06
@thexaver

You answered your own question

D

Daria Motorina, 2020-11-06
@glaphire

1) Each version of php has its own set of vulnerabilities, you need to keep packages that work with the latest versions of php
2) For projects, there are paid security scanners (vulnerability or security scanner), they can detect vulnerabilities including in packages
3) if some logic is critical and there is no trust in ready-made packages, then you can write your own package from scratch and connect it from a closed corporate repository

C

CityCat4, 2020-11-06
@CityCat4

When working with PD, I would check it manually - this topic is such that you can fly into it very much - not only for grandmas, but also for sitting down.

S

Sanes, 2020-11-06
@Sanes

In the contract, you indicate that you undertake not to leave holes knowingly .
No other way.

X

xmoonlight, 2020-11-06
@xmoonlight

Isolate the package in a "sandbox".