Securing Open Source
-
Usage yes. But open source, comes from who knows, and can contain who knows what in the source. Some open source allows downloading the source. Why? So you can validate what's in it. I don't need to validate VS as to what's in it and I've been using it since 2001. So that's over 20 years. Again, I don't have to rigorously test a VS textbox. But you can bet if I downloaded an open source textbox, I would not feel comfortable unless I rigorously tested the textbox code. That's double work, and it's not a RAD development environment.
Quote:
But open source, comes from who knows, and can contain who knows what in the source.
But isn't that avoided by using only well-known open source projects. For example, I use Apache, MariaDB, PHP, and iText7. I doubt they have more security issues than anything by Microsoft. Of course, using LeeT2000's fork of any of those would be reckless.
-
Quote:
But open source, comes from who knows, and can contain who knows what in the source.
But isn't that avoided by using only well-known open source projects. For example, I use Apache, MariaDB, PHP, and iText7. I doubt they have more security issues than anything by Microsoft. Of course, using LeeT2000's fork of any of those would be reckless.
Of course there are long time, well known items like iText7. But I am going by the original CodeProject topic today stating that there is a lot of time/money needed to secure open source. I use javaScript in web apps. It's open source, but it's been around for years and comes from a single source. Plus, it's a language, not a tool/component. Apache has been around for years as well. And PHP, well let's just say it has a beard. There's a lot of stuff out there, as you pointed out. The creators make it sound good, but just who are they? Too many people see free and drool at downloading it.
-
I stated the software used in projects I worked on. I did not buy Telerik and did not like having to use it; but since I was a contractor at the facility, and THEY bought it, I had no choice. With that said, I did recommend and purchased DevExpress. There is a difference between security flaws (which exists in everything by the way) and deliberately downloading a package of (god-knows-what) from a (god-knows-where) site; and, unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
Member 14840496 wrote:
unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
That's a rather interesting argument to use against open source. You know more about what closed source contains without spending time and money analyzing it?
-
Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using. Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit. People l-o-o-o-v-e that "free" stuff. :-D
Member 14840496 wrote:
Open source adds another layer of unknown code into an application
...and closed source is "better known"? Or are you saying you bury your head in the same and assume commercial, paid-for, closed source is inherently secure and you don't have to test it?
-
Member 14840496 wrote:
unless you download the source code and spend time and money analyzing it, you have no idea what it contains.
That's a rather interesting argument to use against open source. You know more about what closed source contains without spending time and money analyzing it?
That's why you pay for VS from Microsoft who created VS in 2001 and has been in use now for over 20 years. Not some free stuff in GitHub, or web site that has is not usually a business, but could be a hacker sneaking something into the code, or not writing even ANY security into the code just to get their name show up as a contributor, thus with hopes of landing more opportunities. Yes, I do not need to analyze VS. And in all the applications and web sites I have created over the past 13 years, never had a security breach, or had my sites hacked.
-
Member 14840496 wrote:
Open source adds another layer of unknown code into an application
...and closed source is "better known"? Or are you saying you bury your head in the same and assume commercial, paid-for, closed source is inherently secure and you don't have to test it?
Ummmm...yeah. :rolleyes: VS has been around for over 20 years. Sure, there are some open source that has been around for several years, like iText, Apache, etc. But there are tons of freeware out there that I would never touch, especially in an enterprise environment.
-
Ummmm...yeah. :rolleyes: VS has been around for over 20 years. Sure, there are some open source that has been around for several years, like iText, Apache, etc. But there are tons of freeware out there that I would never touch, especially in an enterprise environment.
-
That's why you pay for VS from Microsoft who created VS in 2001 and has been in use now for over 20 years. Not some free stuff in GitHub, or web site that has is not usually a business, but could be a hacker sneaking something into the code, or not writing even ANY security into the code just to get their name show up as a contributor, thus with hopes of landing more opportunities. Yes, I do not need to analyze VS. And in all the applications and web sites I have created over the past 13 years, never had a security breach, or had my sites hacked.
Member 14840496 wrote:
Yes, I do not need to analyze VS. And in all the applications and web sites I have created over the past 13 years, never had a security breach, or had my sites hacked.
That you know of. Even if true, if you're honest with yourself as a developer, you wouldn't go on a limb and make this sort of claim. And you seem to be confusing VS - a code editor - with libraries you use to build apps.
-
Member 14840496 wrote:
Yes, I do not need to analyze VS. And in all the applications and web sites I have created over the past 13 years, never had a security breach, or had my sites hacked.
That you know of. Even if true, if you're honest with yourself as a developer, you wouldn't go on a limb and make this sort of claim. And you seem to be confusing VS - a code editor - with libraries you use to build apps.
Speak for yourself. I've been programming/developing with DataGeneral RDOS Basic, and from early Radio Shack PC days, DOS Basic, VB, Delphi, and on up to VS C#. I use/build my own libraries or purchase add-ons from companies like DevExpress.
-
Speak for yourself. I've been programming/developing with DataGeneral RDOS Basic, and from early Radio Shack PC days, DOS Basic, VB, Delphi, and on up to VS C#. I use/build my own libraries or purchase add-ons from companies like DevExpress.
-
Anyone doing this for so long would therefore clearly know better than to believe they're infallible. Otherwise the only one getting fooled is looking right back at you in a mirror.
I never said anything about being infallible. I've goofed up so many times during my career than I care to remember. That has nothing to do with this topic. But if you want to move into the personal arena, please continue while I ignore your comments as you seem to be ignoring the topic. :|
-
I never said anything about being infallible. I've goofed up so many times during my career than I care to remember. That has nothing to do with this topic. But if you want to move into the personal arena, please continue while I ignore your comments as you seem to be ignoring the topic. :|