Skip to main content
Information Security

Return to Answer

added 3 characters in body
Source Link
Steffen Ullrich
Steffen Ullrich
  • 204.3k
  • 30
  • 410
  • 474

"Access to program source code shall be restricted." does not mean that nobody should be able to access the source code but that it is defined who can access and change the code. The main point is not to have the source code secret but to prevent unauthorized and unaudited changes to the source code.

And this is true for using open source too: one should not simply import and use some code or patches from somewhere without somehow making sure that the code is actually having the expected behavior and only this, i.e.that it does not contain any backdoors and no critical bugs etc. This "somehow making sure" does not mean to audit everything yourself but might also mean to trust upstream distributions and maintainers to do the right thing. How much to trust upstream or how much to review code yourself of course depends on both who is the upstream and how critical the code is which uses third party code.

But blindly using npm, cpan, pip etc to install modules can be dangerous and is against the spirit of using and writing secure code, see Small World with High Risks: A Study of Security Threats in the npm Ecosystem or Malicious Modules — what you need to know when installing npm packages.

"Access to program source code shall be restricted." does not mean that nobody should be able to access the source code but that it is defined who can access and change the code. The main point is not to have the source code secret but to prevent unauthorized and unaudited changes to the source code.

And this is true for using open source too: one should not simply import and use some code or patches from somewhere without somehow making sure that the code is actually having the expected behavior and only this, i.e.that it does not contain any backdoors and no critical bugs etc. This "somehow making sure" does not mean to audit everything yourself but might also mean to trust upstream distributions and maintainers to do the right thing. How much to trust upstream or how much to review code yourself of course depends both who is the upstream and how critical the code is which uses third party code.

But blindly using npm, cpan, pip etc to install modules can be dangerous and is against the spirit of using and writing secure code, see Small World with High Risks: A Study of Security Threats in the npm Ecosystem or Malicious Modules — what you need to know when installing npm packages.

"Access to program source code shall be restricted." does not mean that nobody should be able to access the source code but that it is defined who can access and change the code. The main point is not to have the source code secret but to prevent unauthorized and unaudited changes to the source code.

And this is true for using open source too: one should not simply import and use some code or patches from somewhere without somehow making sure that the code is actually having the expected behavior and only this, i.e.that it does not contain any backdoors and no critical bugs etc. This "somehow making sure" does not mean to audit everything yourself but might also mean to trust upstream distributions and maintainers to do the right thing. How much to trust upstream or how much to review code yourself of course depends on both who is the upstream and how critical the code is which uses third party code.

But blindly using npm, cpan, pip etc to install modules can be dangerous and is against the spirit of using and writing secure code, see Small World with High Risks: A Study of Security Threats in the npm Ecosystem or Malicious Modules — what you need to know when installing npm packages.

Source Link
Steffen Ullrich
Steffen Ullrich
  • 204.3k
  • 30
  • 410
  • 474

"Access to program source code shall be restricted." does not mean that nobody should be able to access the source code but that it is defined who can access and change the code. The main point is not to have the source code secret but to prevent unauthorized and unaudited changes to the source code.

And this is true for using open source too: one should not simply import and use some code or patches from somewhere without somehow making sure that the code is actually having the expected behavior and only this, i.e.that it does not contain any backdoors and no critical bugs etc. This "somehow making sure" does not mean to audit everything yourself but might also mean to trust upstream distributions and maintainers to do the right thing. How much to trust upstream or how much to review code yourself of course depends both who is the upstream and how critical the code is which uses third party code.

But blindly using npm, cpan, pip etc to install modules can be dangerous and is against the spirit of using and writing secure code, see Small World with High Risks: A Study of Security Threats in the npm Ecosystem or Malicious Modules — what you need to know when installing npm packages.