Ask Slashdot: Reviewing 3rd Party Libraries

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Attend or create a Slashdot 20th anniversary party! DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Check out the new SourceForge HTML5 Internet speed test. ×

Submission + - Ask Slashdot: Reviewing 3rd Party Libraries

Submitted by Carcass666 on Tuesday March 04, 2014 @08:33PM

Carcass666 writes: It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.