Securing Open Source
-
The latest article on this issue states that it's not going to be cheap. I use VisualStudio without open source. If I need additional functionality I purchase it from a reliable vendor. Probably cheaper than trying to secure all that open source crap out there; and that's not counting any malware that has creeped into your system from Billy-Bob's download. Pay me now or pay me later. ;)
Member 14840496 wrote:
I use VisualStudio without open source.
So no .NET/Core... There are millions of open-source projects properly secured - instead of running away, learn them before use... There are full systems built on totally secure open-source code (Linux_es_)... And it is entirely possible that with payed product you actually will pay twice... payment is not guarantee for nothing today...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
-
Member 14840496 wrote:
I use VisualStudio without open source.
So no .NET/Core... There are millions of open-source projects properly secured - instead of running away, learn them before use... There are full systems built on totally secure open-source code (Linux_es_)... And it is entirely possible that with payed product you actually will pay twice... payment is not guarantee for nothing today...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
.NET is the VS framework. Don't use Core. VB, Delphi, VS, Telerik, DevExpress. And yes, you get what you pay for. Never hear of any of these products needing to spend money to make them secure. Been in IT for 28 years. Never had a problem worrying about open source malware because I simply do not use it. Just because SOME projects do not blow up, does not mean it should be the goto source for code.
-
.NET is the VS framework. Don't use Core. VB, Delphi, VS, Telerik, DevExpress. And yes, you get what you pay for. Never hear of any of these products needing to spend money to make them secure. Been in IT for 28 years. Never had a problem worrying about open source malware because I simply do not use it. Just because SOME projects do not blow up, does not mean it should be the goto source for code.
The whole of the .NET framework is open source: Reference Source[^], so any .NET based software is unavailable to you ... which includes the C# compiler, and VS itself ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
The whole of the .NET framework is open source: Reference Source[^], so any .NET based software is unavailable to you ... which includes the C# compiler, and VS itself ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
Your link: Browse the .NET Framework source code online, with search and navigation powered by Roslyn. You can browse lots of things, that doesn't mean you can do anything with the copy of VS I purchased from MS.
-
The latest article on this issue states that it's not going to be cheap. I use VisualStudio without open source. If I need additional functionality I purchase it from a reliable vendor. Probably cheaper than trying to secure all that open source crap out there; and that's not counting any malware that has creeped into your system from Billy-Bob's download. Pay me now or pay me later. ;)
One has to be careful with using open source code on mission critical projects and functionality, this I agree with. If you find open source code that fits your needs and through rigorous testing and analysis you have determined that it will work fine in Production, then I do not see the big deal. Our projects use a combination of pay to play software and open source.
-
One has to be careful with using open source code on mission critical projects and functionality, this I agree with. If you find open source code that fits your needs and through rigorous testing and analysis you have determined that it will work fine in Production, then I do not see the big deal. Our projects use a combination of pay to play software and open source.
How much time/money is lost in that rigorous testing and analysis?
-
.NET is the VS framework. Don't use Core. VB, Delphi, VS, Telerik, DevExpress. And yes, you get what you pay for. Never hear of any of these products needing to spend money to make them secure. Been in IT for 28 years. Never had a problem worrying about open source malware because I simply do not use it. Just because SOME projects do not blow up, does not mean it should be the goto source for code.
Clearly never bothered yourself with the truth... Telerik : Security vulnerabilities[^]
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
-
Clearly never bothered yourself with the truth... Telerik : Security vulnerabilities[^]
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
I stated the software used in projects I worked on. I did not buy Telerik and did not like having to use it; but since I was a contractor at the facility, and THEY bought it, I had no choice. With that said, I did recommend and purchased DevExpress. There is a difference between security flaws (which exists in everything by the way) and deliberately downloading a package of (god-knows-what) from a (god-knows-where) site; and, unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
-
How much time/money is lost in that rigorous testing and analysis?
How much are you willing to loose in time/money if you do not do rigorous testing and analysis.
CI/CD = Continuous Impediment/Continuous Despair
-
One has to be careful with using open source code on mission critical projects and functionality, this I agree with. If you find open source code that fits your needs and through rigorous testing and analysis you have determined that it will work fine in Production, then I do not see the big deal. Our projects use a combination of pay to play software and open source.
Slacker007 wrote:
If you find open source code that fits your needs and through rigorous testing and analysis you have determined that it will work fine in Production, then I do not see the big deal.
Until you have to go through that entire process again when a component is updated. Then it becomes a big deal to the C-Suite folks. The flaw in open source is that no one, and I mean no one, has a good dependency map of the open source in their systems. This translates into a component multiple layers down being updated for a security flaw and the users of that component don't even know it's in their systems. This is why the Log4J bugs are so insidious.
-
How much time/money is lost in that rigorous testing and analysis?
-
You need rigorous testing for any project, whether it contains open source components or not.
Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using. Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit. People l-o-o-o-v-e that "free" stuff. :-D
-
Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using. Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit. People l-o-o-o-v-e that "free" stuff. :-D
-
Member 14840496 wrote:
I assume that I do not have to test the components' code
But you still need to test your usage of them. No different to using open source.
Usage yes. But open source, comes from who knows, and can contain who knows what in the source. Some open source allows downloading the source. Why? So you can validate what's in it. I don't need to validate VS as to what's in it and I've been using it since 2001. So that's over 20 years. Again, I don't have to rigorously test a VS textbox. But you can bet if I downloaded an open source textbox, I would not feel comfortable unless I rigorously tested the textbox code. That's double work, and it's not a RAD development environment.
-
The latest article on this issue states that it's not going to be cheap. I use VisualStudio without open source. If I need additional functionality I purchase it from a reliable vendor. Probably cheaper than trying to secure all that open source crap out there; and that's not counting any malware that has creeped into your system from Billy-Bob's download. Pay me now or pay me later. ;)
Agreed. To make sure we are bullet proof, we only use Microsoft products. They have never been compromised.
>64 Some days the dragon wins. Suck it up.
-
Agreed. To make sure we are bullet proof, we only use Microsoft products. They have never been compromised.
>64 Some days the dragon wins. Suck it up.
Lots of systems get compromised. But that seems to be an almost unpreventable EXTERNAL cause. You are confusing external code contamination with purposeful internal injected code that YOU put into your system. YOU is not the same as THEM. So in essence, doubling odds. Instead of being inadvertently attacked from an external source, YOU actually downloaded the attack yourself. :rolleyes:
-
Usage yes. But open source, comes from who knows, and can contain who knows what in the source. Some open source allows downloading the source. Why? So you can validate what's in it. I don't need to validate VS as to what's in it and I've been using it since 2001. So that's over 20 years. Again, I don't have to rigorously test a VS textbox. But you can bet if I downloaded an open source textbox, I would not feel comfortable unless I rigorously tested the textbox code. That's double work, and it's not a RAD development environment.
Quote:
But open source, comes from who knows, and can contain who knows what in the source.
But isn't that avoided by using only well-known open source projects. For example, I use Apache, MariaDB, PHP, and iText7. I doubt they have more security issues than anything by Microsoft. Of course, using LeeT2000's fork of any of those would be reckless.
-
Quote:
But open source, comes from who knows, and can contain who knows what in the source.
But isn't that avoided by using only well-known open source projects. For example, I use Apache, MariaDB, PHP, and iText7. I doubt they have more security issues than anything by Microsoft. Of course, using LeeT2000's fork of any of those would be reckless.
Of course there are long time, well known items like iText7. But I am going by the original CodeProject topic today stating that there is a lot of time/money needed to secure open source. I use javaScript in web apps. It's open source, but it's been around for years and comes from a single source. Plus, it's a language, not a tool/component. Apache has been around for years as well. And PHP, well let's just say it has a beard. There's a lot of stuff out there, as you pointed out. The creators make it sound good, but just who are they? Too many people see free and drool at downloading it.
-
I stated the software used in projects I worked on. I did not buy Telerik and did not like having to use it; but since I was a contractor at the facility, and THEY bought it, I had no choice. With that said, I did recommend and purchased DevExpress. There is a difference between security flaws (which exists in everything by the way) and deliberately downloading a package of (god-knows-what) from a (god-knows-where) site; and, unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
Member 14840496 wrote:
unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
That's a rather interesting argument to use against open source. You know more about what closed source contains without spending time and money analyzing it?
-
Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using. Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit. People l-o-o-o-v-e that "free" stuff. :-D
Member 14840496 wrote:
Open source adds another layer of unknown code into an application
...and closed source is "better known"? Or are you saying you bury your head in the same and assume commercial, paid-for, closed source is inherently secure and you don't have to test it?
