Forgot your password?
typodupeerror
Programming

Ask Slashdot: Reviewing 3rd Party Libraries? 88

Posted by Soulskill
from the discovering-you-trusted-something-way-too-much dept.
Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Reviewing 3rd Party Libraries?

Comments Filter:
  • by msobkow (48369) on Wednesday March 05, 2014 @05:55PM (#46413125) Homepage Journal

    I don't check libraries for security vulnerabilities. I check websites for information about that, and to see how often the provider is refreshing the library with patches and fixes.

    If I don't get the feeling that they take their security seriously, I don't use the library. I'm not about to start testing every library of the OS that I build against, nor the Java stack itself. To do so is asinine unless you're in an extremely high security arena -- you have to start with a certain level of trust, and if you don't trust your vendor, don't use them.

    Besides, not one of the binary analysis tools I've ever heard of did a really good job. Even source code analysis can miss bugs. If it were possible to fully automate testing in such a fashion, testers wouldn't have jobs.

  • This sucks (Score:2, Insightful)

    by ChrisMaple (607946) on Wednesday March 05, 2014 @06:15PM (#46413321)
    Beta is worthless. I'm out of here, and it will be a long time until I even look here again.
  • Many Eyes (Score:4, Insightful)

    by Jaime2 (824950) on Wednesday March 05, 2014 @06:54PM (#46413723)
    Good security comes from a lot of people's testing and input. If you look investigate a product, you will only be able to categorize it into two categories: "utterly craptastic" and "probably utterly craptastic". The only way to be assured of good quality is to use libraries that a lot of people use and have had success with. Don't bother looking at the binary, look at the reputation.

A holding company is a thing where you hand an accomplice the goods while the policeman searches you.

Working...