Securing Open Source

I never said anything about being infallible. I've goofed up so many times during my career than I care to remember. That has nothing to do with this topic. But if you want to move into the personal arena, please continue while I ignore your comments as you seem to be ignoring the topic. :|

Speak for yourself. I've been programming/developing with DataGeneral RDOS Basic, and from early Radio Shack PC days, DOS Basic, VB, Delphi, and on up to VS C#. I use/build my own libraries or purchase add-ons from companies like DevExpress.

Ummmm...yeah. :rolleyes: VS has been around for over 20 years. Sure, there are some open source that has been around for several years, like iText, Apache, etc. But there are tons of freeware out there that I would never touch, especially in an enterprise environment.

That's why you pay for VS from Microsoft who created VS in 2001 and has been in use now for over 20 years. Not some free stuff in GitHub, or web site that has is not usually a business, but could be a hacker sneaking something into the code, or not writing even ANY security into the code just to get their name show up as a contributor, thus with hopes of landing more opportunities. Yes, I do not need to analyze VS. And in all the applications and web sites I have created over the past 13 years, never had a security breach, or had my sites hacked.

Of course there are long time, well known items like iText7. But I am going by the original CodeProject topic today stating that there is a lot of time/money needed to secure open source. I use javaScript in web apps. It's open source, but it's been around for years and comes from a single source. Plus, it's a language, not a tool/component. Apache has been around for years as well. And PHP, well let's just say it has a beard. There's a lot of stuff out there, as you pointed out. The creators make it sound good, but just who are they? Too many people see free and drool at downloading it.

Lots of systems get compromised. But that seems to be an almost unpreventable EXTERNAL cause. You are confusing external code contamination with purposeful internal injected code that YOU put into your system. YOU is not the same as THEM. So in essence, doubling odds. Instead of being inadvertently attacked from an external source, YOU actually downloaded the attack yourself. :rolleyes:

Usage yes. But open source, comes from who knows, and can contain who knows what in the source. Some open source allows downloading the source. Why? So you can validate what's in it. I don't need to validate VS as to what's in it and I've been using it since 2001. So that's over 20 years. Again, I don't have to rigorously test a VS textbox. But you can bet if I downloaded an open source textbox, I would not feel comfortable unless I rigorously tested the textbox code. That's double work, and it's not a RAD development environment.

Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using. Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit. People l-o-o-o-v-e that "free" stuff. :-D

I stated the software used in projects I worked on. I did not buy Telerik and did not like having to use it; but since I was a contractor at the facility, and THEY bought it, I had no choice. With that said, I did recommend and purchased DevExpress. There is a difference between security flaws (which exists in everything by the way) and deliberately downloading a package of (god-knows-what) from a (god-knows-where) site; and, unless you download the source code and spend time and money analyzing it, you have no idea what it contains.

How much time/money is lost in that rigorous testing and analysis?

Your link: Browse the .NET Framework source code online, with search and navigation powered by Roslyn. You can browse lots of things, that doesn't mean you can do anything with the copy of VS I purchased from MS.

.NET is the VS framework. Don't use Core. VB, Delphi, VS, Telerik, DevExpress. And yes, you get what you pay for. Never hear of any of these products needing to spend money to make them secure. Been in IT for 28 years. Never had a problem worrying about open source malware because I simply do not use it. Just because SOME projects do not blow up, does not mean it should be the goto source for code.

The latest article on this issue states that it's not going to be cheap. I use VisualStudio without open source. If I need additional functionality I purchase it from a reliable vendor. Probably cheaper than trying to secure all that open source crap out there; and that's not counting any malware that has creeped into your system from Billy-Bob's download. Pay me now or pay me later. ;)

Unit testing tests for code that is primal and isn't the cause of problems. Test that the value I passed you is a bool. What does cause problems are things like Excel cells that are missing or contains the wrong data. Data configurations that you did not plan/account for. Users that do things you did not think they would ever do. Exceptions you missed that blew up the app. And lets not forget that you are writing test code to test your code. :wtf:

All correct, and I have been programming since 1983. I quit a job of 9 years in a large company because of Agile's kindergarten practices adopted by higher management being sold that this crap is going to make everything better.....not. But instead of joining that nonsense I found an IT programming job in a smaller company where RESULTS are the primary factor, not kindergarten nonsense.

Looks more like SQL or Basic. I hope this doesn't keep seeping into other statements. Like: if(myBool is not false) {} if(thisString does not contain("yipes!")) {} if(myString contains("hello") then change it to "goodbye". var myVar = "a variable" END OF STATEMENT The more "stuff" you add to a statement, the more likely that (1) more mistakes will occur, (2) Intellisense will overflow and stop working, and (3) the compiler will choke to death.

Exactly! https://codeproject.global.ssl.fastly.net/script/Forums/Images/smiley\_laugh.gif

I just read the article by JOE PROCOPIO declaring that those who pooh-pooh no-code/MVP are just haters. But you have to bear in mind that JOE PROCOPIO created and sells a no-code product. So of course he would write an article like this. He also declares that he really doesn't care what anyone thinks about no-code. That he was a long time coder himself and saw the light. To be fair, there are a few no-code products. Most are done and have survived over decades; usually done by large companies like Microsoft. Excel is a prime example. But those kind of successes are relatively rare. I won't get into the overuse/abuse of business users using Excel sheets as a database. On the other hand, I am not so sure JOE PROCOPIO is either aware, or had to confront, products purported to be low/no-code products that were a disaster - as I pointer out in an earlier discussion - BizTalk, also created by Microsoft; just to mention a few. Lastly I need to point out, again, that these no-code tools almost always get pushed back to IT with requests for changes/additions/enhancements; and that's where the rubber does not meet the road. This side of his article leaves this issue out. And as he states in his article, I am saying that I don't care what these no-code companies or Joe says, I will find it simply to hard to believe that this never happens. And my question would be - 'Will the request for change(s)/enhancement(s) be for free'? The usual response by these companies are 'We will evaluate change requests in the coming future versions. Thank you for your input'.

What happened to Ctrl+C, Ctrl+X, and Ctrl+V??? Is it there, and if not, why not? If so, then who cares?

Yep. Been there. Just a tip from someone who learned the hard way - if you need to use jScript, stay away from jQuery. You can run into version issues. Online samples all have different jQuery file versions, and they can conflict with something else you may be using. Yes, there are ridiculous work-arounds for version conflicts, but they are both confusing, and several I tried did not work, whereas jScript does not have version issues - at least that I have found. It's statements are slightly more complex, but will save you trying to figure out why a certain jQuery function you used before suddenly isn't working now.