How to find libraries/software you can trust (especially PHP, JS)?

Alexander Shokhrov2020-05-28 00:47:27

open source

Alexander Shokhrov, 2020-05-28 00:47:27

Currently, I'm mainly interested in PHP on the back and JS on the front, so the question is primarily asked within these two language environments.

Today, a number of PLs have repositories and package managers. For those two, they are Packagist/Composer and NPM. As far as I understand, the security audit there is in the nature of post-moderation, that is, the removal of malicious packages is based on reports. In principle, it is logical who will analyze megatons of code for this.

The question is how to find libraries in this mass, in respect of which I am sure, if not in the complete absence of holes, then at least in the competence and good motives of their creator. I imagine the following hierarchy of "borrowed code security policies":

1. Writing and knowing all the code yourself is an ideal to strive for;
2. Read and know all the code yourself;
3. Follow the choice of trusted authorities using an approach no worse than No. 2 (mb No. 3, the main thing is to break the recursion) - choose the same as the experts and pray;
4. Follow the choice of the majority and choose popular libraries - look at the download counter and pray;
5.1. Just use what fits and pray;
5.2. Just use what fits and don't pray.

Complexity #1 and #2 grows in proportion to the size of the codebase, #3 requires skillful selection of experts and a clear definition of their trust in specific libraries, #4 relies more on statistics and luck than on more scientific methods, ##5.x - in fact , no policy.

Accordingly, for me, #3 looks the most balanced, for myself I roughly threw (→ GitHub ... ), how it might look. In this case, experts took such lumps as manufacturers of popular operating systems, web browsers, Internet regulators and well-known web companies.

I would like to know from experienced developers what the correct approach to choosing libraries usually looks like, whether there are public "white lists" of safe software, and whose opinion can be considered an expert.

Thank you for your attention.

upd: As rightly noted, there can be two scales of trust: regarding unintentional vulnerabilities (skill) and deliberate backdoors (decency)

Answer the question

In order to leave comments, you need to log in

6 answer(s)

GF, 2020-05-28
@fomenkogregory

Lots of stars on github/npm installs - solid package. Everything :) but as you rightly noted, in any case, it is necessary

pray

Nikolay, 2020-05-28
@SODINNER

What makes you think that your code will be better and safer? Usually it's even the other way around. Libraries - support dozens or hundreds of programmers, improve, fix bugs and vulnerabilities.
You need to test your product yourself, an ideal system without holes, which cannot be hacked, simply does not exist. It's just a matter of how much effort and expense it takes to hack the project and whether it will be worth it for someone to take it on.

rPman, 2020-05-28
@rPman

Reliability can be different - someone says that there are no errors in the code, and someone needs reliability from backdoors.
Only a code audit, a personal or hired third-party specialist / company, can give at least some kind of guarantee, everything else:

pray

Let me remind you an example - a crypto wallet project (it seems like a browser extension, if I'm not mistaken for EOS) was attacked by one of the developers of the library used, i.e. while the project was being developed, everything was ok, as soon as it began to be used - the attacker added theft of privates to the code, and after the developers of the extension once again released an update, they poked a lot of money.

Robur, 2020-05-28
@Robur

About js and npm, I don't know other areas.
This is a big, serious problem with no easy solution.
If the absence of backdoors is important to you, then the only way out is your own repository in which all the code is trusted.
Otherwise, even if you install a module with 10k stars, depending on the 20th level of nesting, it will have some kind of left-pad , in which they will take and put a backdoor.
Look at things like https://snyk.io/. I don't know to what extent they audit modules.

xmoonlight, 2020-05-28
@xmoonlight

and whose opinion can be considered an expert.

no one's, even if you yourself wrote your code from scratch from beginning to end.
There are many levels of protection against "strangers": source code audit, profiling of important code sections and search for leaks, code vulnerability scanner offline and at the time of execution, control of the execution environment, control of network activity.
Only control of the rights of the execution environment will help to protect yourself from negative consequences.
A simple solution: "proxying" requests between your and someone else's code in both directions and controlling data with regular expressions.

Leonid, 2020-05-30
@caballero

for this purpose, it is tested with a system to identify errors. and it will be revealed in the operation process, it will be corrected, it's okay. you are solving a problem that is not worth a damn.
Most oshimbokk will be in your code and not in the code of the libraries you use.