Should developers trust third-party source code?

I am going to sound like a grumpy old git now, but when I first started developing software the source code was shipped with third party components - Visual Basic Apps (VBA) that later became ActiveXs (OCX) - that enabled developers to patch bugs, etc. When Microsoft introduced ActiveX components - pre-built chunks of code that saved hours of programming - they stopped the release of source code and that for me was the death of third party components.

The death of third party components: Why?

I had spent 18 months developing a system for the Mechanical & Engineering (M&E) sector that was used by the Eat India Dock Company, Millennium Dome amongst others. Party of the application provided the functionality enabling users to import Computer Aided Design (CAD) drawings and then create hotspots to items of plant maintained by the facilities management departments. Having developed (and extended) the functionality of the ActiveX component that enable me to import and manipulate the CAD drawings, we shipped the solution out to over a thousand sites across Europe (of those where the days)!

One happy boss, until a few days later when we discovered a memory leak in the component that would gobble memory as if it was going out of fashion, in curtain circumstances that had not been picked up during User Acceptance Testing (UAT), as it only happened when importing Three-Dimensional CAD drawings that were relatively new back in the nineties. We went back to the component supplier that said that the original developers had sold the component to a company in the states. At first this didn't concern us, but as things unfolded we discovered that the new owners had no intention of developing it, but instead were putting the entire component in mothballs as they had developed their own. We had to find a new component and complete re-write every area it had been used, which took months!

This was back in the day when we had to write the source code, compile it, test and then send to a company that would create the installation disc's before shipping to over a thousand sites ...

Lesson learnt!

As a result I became very cautious when selecting third-party components and as development moved towards web based solutions I became even more wary. During 2010 - 11 we developed a cash flow forecasting system for a chartered accountant, using J2EE (Java). As a development team we had to learn Java from the ground up and although one of our developers had written his thesis in Java his knowledge was limited, so we set to learning it together. We wanted to create a spreadsheet style user interface with some sophisticated functionality that matched the business requirements and having looked at various pre-built Java components we decided to write our own table component; best thing we ever did!

cash flow

Whilst writing the component, we discovered a number of articles and examples that just didn't work! We ended up on trusting one source, which had been thoroughly tested and coursed few issues. The problem was that everyone was scrabbling around for answers and younger programmers "Google" ever thing!

When you blindly trust a third party, you lack any understanding of how something works and that's why we see more and more issues with software developers that implicitly trust third-party services, components or source code. It's just damned lazy and unprofessional ...

So perhaps you'll understand my utter frustration when I scanned the headlines - on Reuters - this morning on my Blackberry and this court my eye:


Now, I'm not having a go at Twilio Inc persay (wow betide me, casting first stone and all that), but when will developers learn there ain't no such thing as a short cut! I am not against using third-party services, etc but you need to do you home work to ensure it is a trusted source and to continuity re-evaluate it! As a business we invested hundred of man days developing our code base - Golem - that reduces the time spent re-writing source code (or worse still copy / paste) that did fundamental tasks and procedures like sending an email, opening a database or even creating a user interface. We used to see it a sales pitch, telling clients it enabled us to get projects developer quicker than our competitors. A few years later (circa 2005) we saw a proliferation of frame works like Symphony that aims to speed up the creation and maintenance of web applications and to replace repetitive coding tasks, which was what Golem does, although we had created the first version in a couple of years earlier. Prospects used to ask me if the project would be cheaper as a result; "no" was my answer, but it enabled us to focus on the User eXperience (UX) and the Graphical User Interface (GUI) which meat they got a more intuitive solution! Boom! Boom!

Anyway, I digress, so let me get to my point

Software developers and businesses hiring software development teams need to ensure that they do their due diligence when using third party services, components, plug-ins or source code to avoid introducing security loop holes in their carefully crafted applications, or risk data breaches which will become all the more relevant when GDPR comes in to force next May. There's no such thing as a free lunch and there certainly isn't a short cut in software development, so do your due diligence and undertake User Acceptance Testing (UAT) as well as penetration testing before launching you application to a world full of hungry hackers!

Date: 10/11/2017


If you like to get in touch, please telephone our offices on +44 (0) 1364 582017 or complete our on-line form and we'll get back to you as soon as possible.


Stay in touch with what we're up to at Ayrmer Software by following us on one of our social media feeds: we'd be delighted to welcome you as a follower on twitter, become friends on facebook or add us to your circle on Google+. You'll also find us on Linkedin, of course.


I have just printed off all of the registers and reports that we need for next week?s holiday club over Half Term. We are only opening 2 of our 3 clubs this time, so I only had 2/3 of the reports to print out.. However, in total it took me just 2...

Katie Moore Booking Administrator
Schools OUT

Read more ...