Engineering Project Delivery
Engineering/Engineering Principles/7 Security And Availability/Third Party Dependencies/

Third Party Dependencies Standards · SEC-04

This document contains standards for consuming third-party libraries and other external dependencies.

Due diligence must be performed before introducing a new third-party dependency · SEC-04.1 · MUST · DEV/TEST

The due diligence must, at a minimum, cover the following questions (with an aim to answer “Yes” to every question):

  1. Is the dependency stable, popular, etc. (using metrics like GitHub stars and downloads)?
  2. Is the dependency actively maintained (using metrics like number of contributors and last update)?
  3. Is the latest version secure (i.e. no unpatched vulnerabilities)?
  4. Is the dependency solving a well-scoped, common problem (e.g. Excel integration or date parsing)?
  5. Does the cost to build outweigh the risk of importing?
  6. Is the dependency solving a non-trivial problem or one that likely to evolve in future (i.e. it would be harder to write our own code)?
  7. Is the license acceptable for our intended use (e.g. copyleft licenses are generally to be avoided)?

Previous

security testing

Next

database performance