Clean Up Your Code Libraries | Q&A with Jim ManicoMay 4, 2021 Tweet
Jim Manico is the author of "Iron-Clad Java: Building Secure Web Applications” and founder of Manicode Security, which trains software developers on secure coding.
Recent reports on Codecov Bash Uploaders infected with malware intent on stealing developers’ credentials is more proof that sophisticated attackers are targeting developers through their code repositories and libraries.
This puts the onus on third-party developers to protect their code libraries, asserts Jim Manico, author of "Iron-Clad Java: Building Secure Web Applications” and founder of Manicode Security, which trains software developers on secure coding. That protection starts with assessing your libraries and removing those you don’t need and are not using.
“We all have this third-party library legacy debt. It’s in every organization that builds software now. I’m saying be judicious in your use of third-party libraries,” he suggests.
Training developers to program more securely with awareness of interdependencies is easier if the library sources are clean. And to support developer’s workflow, testing and feedback loops should operate at the speed the developers do, or ‘lightening fast’ with an acceptable level of accuracy, Manico says.
- Manico is co-founder of the LocoMoco Security Conference for Hawaiian techies, usually held in late Fall (2021 schedule is in flux due to Covid-19).
- He is also a lead on the OWASP’s ASVS (Application Security Verification Standard) Web Testing Guidelines