Not discrediting Open Source Software, but nothing is 100% safe.

  • Dr. Jenkem@lemmy.blugatch.tubeEnglish
    1·
    1 year ago

    A lot of bad takes in here.

    Here are a few things that apparently need to be stated:

    • Any code that is distributed can be audited, closed or open source.
    • It is easier to audit open source code because, well, you have the source code.
    • Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.
    • Examples of vulnerabilities published by independent researchers demonstrates 2 things: people are auditing open source software for security issues and people are in fact auditing closed source software for security issues
    • Vulnerabilities published by independent researchers doesn’t demonstrate any of the wild claims many of you think they do.
    • No software of a reasonable size is 100% secure. Closed or open doesn’t matter.
    • theblueredditrefugee@lemmy.dbzer0.comEnglish
      0·
      1 year ago

      Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.

      How are you going to do that if it’s software-as-a-service?

      • Dr. Jenkem@lemmy.blugatch.tubeEnglish
        0·
        1 year ago

        See the first bullet point. I was referring to any code that is distributed.

        Yeah, there’s no way to really audit code running on a remote server with the exception of fuzzing. Hell, even FOSS can’t be properly audited on a remote server because you kind of have to trust that they’re running the version of the source code they say they are.