Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Reviewing 3rd Party Libraries?

Soulskill posted about 5 months ago | from the discovering-you-trusted-something-way-too-much dept.

Programming 88

Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."

cancel ×

88 comments

Open source (1)

Anonymous Coward | about 5 months ago | (#46413083)

Easy: use open source libraries.

Source code can come with proprietary libs ... (1)

perpenso (1613749) | about 5 months ago | (#46413527)

Easy: use open source libraries.

Yes, having the source code to a library is very important. However open source is not the only way to go. Source code can come with proprietary libraries. Some commercial vendors of proprietary libraries offer binary-only licenses and more expensive source code licenses. I've had more than one reluctant manager come to realize that the extra expense of the source license was absolutely worth it. We fixed some bugs that affected our project, gave the fixes back to the vendor and found our fixes incorporated into their source code.

Re:Source code can come with proprietary libs ... (1)

retchdog (1319261) | about 5 months ago | (#46413775)

What a great feeling it must be to pay extra for the privilege of fixing their bugs for them. Did they at least give you a discount? (Rhetorical question; I know they didn't.)

Re:Source code can come with proprietary libs ... (2)

perpenso (1613749) | about 5 months ago | (#46414661)

What a great feeling it must be to pay extra for the privilege of fixing their bugs for them. Did they at least give you a discount? (Rhetorical question; I know they didn't.)

We paid for the privilege of not being dependent upon then, of controlling our fate. Our barely on time project only lost two days. It was a win-win.

Re:Source code can come with proprietary libs ... (0)

Anonymous Coward | about 5 months ago | (#46414959)

The point being that you paid extra to get the source and *then* not give you anything back for improving their product. I'm hoping they weren't that ungrateful.

One user helping another also happen in non-FOSS (2)

perpenso (1613749) | about 5 months ago | (#46416153)

The point being that you paid extra to get the source and *then* not give you anything back for improving their product. I'm hoping they weren't that ungrateful.

We paid for a library that was useful and saved us time. We paid extra to not be dependent. We contributed back our fixes to help other users of the library and to simplify things when we got an update. In those updates, some bugs were fixed by the developer of the library, others were fixed by other customers.

Did you think that one user can only help another user in the FOSS world? One user can help another as long as they have access to source, and such access does not require FOSS.

Re:One user helping another also happen in non-FOS (0)

Anonymous Coward | about 5 months ago | (#46417089)

I'm with perpenso on this one. If you can have this kind of cordial relationship with a vendor and you can all work to benefit yourselves and others, why wouldn't you?

Just because it's "proprietaty" software (libraries or whatnot) doesn't mean there can't be a two-way contribution between those involved. In this case the vendor is "nice enough" to provide access to their source code, as not all vendors do, and they seem to have the procedures in place to accept modifications coming from the customers' side. If the customers's contributions (perpenso's in this case) are acknowledged or not will depend on whatever licensing scheme or agreement they had working beforehand. If it was me, I would have given a discount on future purchases or a (partial) refund on the price paid for access to the code as a thank-you for their help... maybe they did too.

FOSS has already built-in the mechanisms to do this sort of thing, it's encouraged far far more than in the "proprieraty" world, but that doesn't mean *everybody* does it. In fact, I remember seeing a talk [youtube.com] given at Google by a linux kernel developer who's employed at Red Hat (IIRC) where he mentioned (around the 22 minute mark) that Canonical was one of the companies that gave the least back to the Community in terms of code and I'm willing to accept Canonical was still acting within the licenses for the code they were using.

Re:One user helping another also happen in non-FOS (0)

Anonymous Coward | about 4 months ago | (#46475593)

They are nice enough to charge extra for it.

If you are doing work that benefits a for-profit company and you aren't getting paid you are pants-on-head retarded.

Re:One user helping another also happen in non-FOS (0)

Anonymous Coward | about 4 months ago | (#46475437)

It just shows how retarded you and your company is.

Paying extra for source? Well, I guess but it is stupid. The source should come at the normal price, it is not like it costs them any more money.

You guys being able to fix the problem. Yay? Welcome to the Floss world.

Giving the fixes back to the company you paid? Absolutely retarded.

Re:Source code can come with proprietary libs ... (1)

Carcass666 (539381) | about 5 months ago | (#46414025)

In this particular case, the library is a component of a deployed system (put into place before I got here) for inventory management. The library is the "documented" way to be able for our website to be able to query the system and to be able to perform operations on the inventory (take some out of stock, put some back in, etc.). I could deal with the database directly, but then I don't have any guarantee that I am implementing the same business logic as the library. This particular vendor is very touchy about their proprietary code (and, after seeing a bit how it is built, I can certainly see why).

So, I guess the point I'm trying to make is sometimes, you're screwed, and you have to deal with the mess somebody else made. At least, that's where I'm at right now...

Re:Open source (1)

arglebargle_xiv (2212710) | about 5 months ago | (#46414687)

Easy: use open source libraries.

Yep, like GnuTLS, or Apple's SSL implementation. You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

Re:Open source (1)

grcumb (781340) | about 5 months ago | (#46415273)

Easy: use open source libraries.

Yep, like GnuTLS, or Apple's SSL implementation. You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

I remember back in 2008, when the Debian OpenSSL package was found to have a gaping hole in it. I was fascinated at the fact that it had been able to lie their, dormant, until it was discovered and immediately fixed. By rights, the damage should have been widespread.

Back then, I wrote [imagicity.com] :

My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code.

So, perversely, yeah: The fact that the GnuTLS hole remained unnoticed for yonks is -weirdly- an argument for using open source libraries. Notwithstanding the fact that the vulnerability remained unpatched for years, it appears to have remained pretty much unexploited for the same period of time.

When processes are perceived to be robust, by black hat and white hat alike, then the mere presence of trust in the system makes them more trust-able. (I won't say trustworthy, because hindsight shows us that they're not.)

Do you want your code to work all the time (1)

i kan reed (749298) | about 5 months ago | (#46413097)

If yes:
Only use language defined standard libraries and build everything else you need yourself, and even then trust but verify. The third party libraries are always going to be cobbled together.

If no:
Fuck it.

Re:Do you want your code to work all the time (1)

cheater512 (783349) | about 5 months ago | (#46413187)

And make sure you don't do a even worse job.

Re:Do you want your code to work all the time (1)

i kan reed (749298) | about 5 months ago | (#46413293)

No, they're all shit. The open source ones, if they're really popular and get a lot of eyeballs, are okay.

Re:Do you want your code to work all the time (1)

Anonymous Coward | about 5 months ago | (#46413679)

Agreed.

Libraries always have bugs - just like any other code - and pretty much always have crap documentation - just like any other code -. The more obscure, the worst. Open or closed source is irrelevant, but open source ones tend to be more popular, ergo...
They also frequently enough do 95% of what you want, except for that key small bit the authors didn't think about that you only discover for a new feature, 6 months and 2 releases in when your pretty much wed to it.

At least with open source you can:
a) figure out what it does;
b) fix the bugs, or at least find out why it doesn't work and work around it;
c) change it so it does what you need.

Re:Do you want your code to work all the time (1)

cyber-vandal (148830) | about 5 months ago | (#46413699)

Cool I'll just get started on reimplementing OpenSSL.

Re:Do you want your code to work all the time (0)

Anonymous Coward | about 5 months ago | (#46415247)

You can't do any worse than Debian's flunky maintainer of OpenSSL did years ago.

Short answer: I don't (4, Insightful)

msobkow (48369) | about 5 months ago | (#46413125)

I don't check libraries for security vulnerabilities. I check websites for information about that, and to see how often the provider is refreshing the library with patches and fixes.

If I don't get the feeling that they take their security seriously, I don't use the library. I'm not about to start testing every library of the OS that I build against, nor the Java stack itself. To do so is asinine unless you're in an extremely high security arena -- you have to start with a certain level of trust, and if you don't trust your vendor, don't use them.

Besides, not one of the binary analysis tools I've ever heard of did a really good job. Even source code analysis can miss bugs. If it were possible to fully automate testing in such a fashion, testers wouldn't have jobs.

Re:Short answer: I don't (1)

bill_mcgonigle (4333) | about 5 months ago | (#46413345)

I'm not about to start testing every library of the OS that I build against, nor the Java stack itself.

Which is sane, but if you use an open source OS and an open source Java stack, there are other people doing that kind of testing, and even more importantly, social pressure for the developers, because they know other people will be looking.

If you're using a secret-source library, then you're completely at the developer's mercy (though your OS can detect certain atrocious behaviors). Like a sibling post mentioned, make sure you can sue them if they screw up and you get hit because of it. Liability is another way to place social pressure on developers.

If it's secret source *AND* you sign away your right to sue, then you better tell your insurance agent, and be prepared to pay dearly for the coverage. That library has got to be essential and/or irreplacable to put yourself in that kind of risk stance.

Re:Short answer: I don't (1)

Desler (1608317) | about 5 months ago | (#46415269)

Which is sane, but if you use an open source OS and an open source Java stack, there are other people doing that kind of testing, and even more importantly, social pressure for the developers, because they know other people will be looking.

That's funny since there was plenty of "social pressure" on GnuTLS about its crappy code and yet it had unfixed security flaws for most of a decade.

Re:Short answer: I don't (1)

bill_mcgonigle (4333) | about 4 months ago | (#46421103)

That's funny since there was plenty of "social pressure" on GnuTLS about its crappy code and yet it had unfixed security flaws for most of a decade.

You'll notice that FileZilla is the only major app [archlinux.org] that uses it for online work, and that's mainly used by Windows people.

The 'society' knew to use openssl.

Re:Short answer: I don't (1)

drolli (522659) | about 5 months ago | (#46416815)

That is an illusion. I have seen Open source code which looks like shit if you take 10 Minutes to look into it. I have seen worse close-source, though, but i have also seen great closed source code.

If you really need to have a look at a close source lib, you can sign a license agreement with the compnay in question.

Re:Short answer: I don't (1)

bill_mcgonigle (4333) | about 4 months ago | (#46421549)

. I have seen Open source code which looks like shit if you take 10 Minutes to look into it.

Of course you have - anybody can open source anything.

Have you seen major, mature, popular projects with code that looks like shit?

Re:Short answer: I don't (1)

drolli (522659) | about 4 months ago | (#46434037)

Major and popular: yes, one or two. And dont expect me to go into the details. Look for yourself.

Typical sicknesses to look out in open source code:
-bad glue code
-missing or ill-defined tests
-lack of documentation
-code which the current maintainer imagined to start a ne coding style (and misestimated the work associated with this)

Still, i have to admit, the worst open source i have seen comes from commercial projects open sourced at some point.

Re:Short answer: I don't (0)

Anonymous Coward | about 4 months ago | (#46477127)

So what you are saying is that you can't name them?

Re:Short answer: I don't (1)

plover (150551) | about 5 months ago | (#46413357)

About the only way to deal with third party libraries is through the terms of the contract. If you agree to license it, you're going to hold them responsible for security violations. Perhaps you stipulate they must run their code through a designated scanner like Fortify or Klocwork and they must agree to fix all critical or severe errors, or that they undergo an annual independent code review.

If all that seems like it's too heavy handed for a simple library, just wait till you get hacked. That's a lot more expensive.

Do not use FXcop as any promise of quality. (1)

TiggertheMad (556308) | about 5 months ago | (#46414391)

One thing that the OP said that I found to be kind of disconcerting: FXcop was a pretty crappy tool. it could spot some odd code patterns in syntax, but it cannot detect 'good' code. I could implement a bubble sort function that FXcop would give a giant gold star to. Weird syntax might be worth looking at to see if there is underlying problems, but that is about it.

Re:Short answer: I don't (1)

mr3038 (121693) | about 5 months ago | (#46417635)

I don't check (I prefer word "review" or "audit" here) the libraries for security vulnerabilities before I start using them. However, I only accept libraries than come with the source and I do cursory review of the code with a question in mind:

"Would I be willing to fix a bug in this library if the original author were not willing to fix it?"

Only if the code looks sane enough that I can answer "yes" I even start using the library. And the security is only a small part of the picture here! If the library does anything important within the product, any major bug in it's behavior will cause major issues for my product, too. If I cannot (at least in theory) fix the library, I'm not going to use it.

I might use a closed source library for some totally optional feature in the product but even in that case I'd keep looking for another solution with the source. And with "optional feature" I mean something that can be disabled or removed if any evidence comes up for the library having a security issue.

Reflector (0)

Anonymous Coward | about 5 months ago | (#46413139)

Use Reflector for .NET. It used to be free but still very much worth the cost. Use it quite often to point out bugs that are causing us problems in vendor libraries.

Re: Reflector (0)

Anonymous Coward | about 5 months ago | (#46413497)

Agree! Dot net Reflector by RedGate is an amazing tool, it's not free anymore ; ( though... I believe it has a trial period though... Also try digging through the rest of of the MS tools, some good stuff hidden in there.

Re:Reflector (0)

Anonymous Coward | about 5 months ago | (#46414101)

Totally agree, I use .NET Reflector regularly. But using it to show 3rd parties how to fix their bugs doesn't necessarily get 3rd parties to fix their bugs. e.g.: Microsoft's CSV Renderer bugs in SSRS, such as them failing to assign the result of String.Replace() operations when quoting fields with quotes and line breaks.

Reflector is the way to go (1)

Xoc-S (645831) | about 5 months ago | (#46414931)

FXCop (now incorporated as Code Analysis) is not a security tool. It looks for bad coding practices not malicious software. This might catch some stuff in the process, but it is not the main purpose.

On the other hand, Red Gate's Reflector decompiles the code into C#, VB.NET, F#, IL, or MC++. You can then look for malicious code. I mainly look for code accessing classes in the System.IO namespace, System.Web, System.Net, or similar namespaces, because these are the ones that are likely to either mess with existing files or connect to the Internet.

You can use the ILDASM (Intermediate Language Dis-assembler) program that comes with the .NET Framework, but it only decompiles into intermediate language (IL). This is enough to find the calls, but most people are not adept at reading IL.

Reflector is worth every penny. Besides looking for security problems, I use it all the time to figure out what the Framework is really doing, fix bugs in other people's libraries, sign code that wasn't signed originally, translate VB.NET code to C#, etc. (To translate code, compile it in one language and decompile it with Reflector into the other.)

Re:Reflector is the way to go (1)

Kalriath (849904) | about 4 months ago | (#46423595)

Or if you don't want to pay for Reflector, you can use ILSpy [ilspy.net] (a free and open source .NET Decompiler), dotPeek [jetbrains.com] (free, from the markers of Resharper), or JustDecompile [telerik.com] (free, from Telerik).

open source only (1)

gbjbaanb (229885) | about 5 months ago | (#46413259)

IIRC FxCop is a source-code analyser.

There are others, Fortify 360 is one I used at a security-conscious company. But in all cases, they require the source code

Though, to be fair, if you're using a 3rd party closed-source library, then you're at the provider's mercy and should go for other avenues of protection - if you can't see security updates coming regularly, then after the fact protection works: you sue them if it fails. Generally, you don't need to know the source for a closed-source library, its a black box and should be treated as such.

Re:open source only (2, Informative)

Anonymous Coward | about 5 months ago | (#46413355)

IIRC FxCop is a source-code analyser.

No it is not.

FxCop is a free static code analysis tool from Microsoft that checks .NET managed code assemblies

http://en.wikipedia.org/wiki/FxCop

FxCop actually works pretty well for what was asked for. Microsoft hasn't failed to update FxCop instead they integrated it more into Visual Studio. You can also write your own rules if you have to keep it updated. I would follow the ASP.NET source code project on codeplex, their build scripts integrate code analysis using nuget and a few other msbuild tricks but i do not think they have it setup to scan another assembly. It can't be hard to configure it too however.

All that said i think everyone else's advice is better.

Limit your use of 3rd party libraries as much as possible for many reasons let alone upgrade paths can be difficult.
Use a tool like nuget to make sure they are updated properly.
Follow the projects closely for changes.

The tooling for this is starting to mature (0)

Anonymous Coward | about 5 months ago | (#46413263)

Sonatype has been doing a lot of work in this area, but mostly on the Java side from what I can tell. I'm not sure if they are doing the kind of analysis you are referring to, but they are definitely focused on application security. They do, however, have qualitative and quantitative data that can be used as a (maybe) reasonable predictor for project quality -- e.g. How pervasive is the use of a particular open source project? There are some other vendors like Black Duck but they seem to be a lot more focused on licensing versus security, though they seem to be copying the language Sonatype has been using more recently. Not much experience with their stuff other than it's apparently not real developer friendly.

OWASP has tools (1)

Anonymous Coward | about 5 months ago | (#46413275)

Try OWASP's DependencyCheck tool. https://www.owasp.org/index.php/OWASP_Dependency_Check
It was originally built for Java, but they are starting to move towards .NET vulns as well. Good quality project and developers. The tool essentially tells you if there are publicly known vulns (CVE's).

Apart from that, various static analysis tools work on binaries, both commercial and open source. For Java open source, try PMD or FindBugs. For .NET, FxCop was what I would have recommended.

Write your own code and use FOSS (1)

turgid (580780) | about 5 months ago | (#46413287)

The more I see of other people's code, the more I am inclined to write and test my own. That way I know it works and when it doesn't, I only have myself to blame. This isn't always possible because most tasks are way to big for a single person, so stick to well-used, well-understood, well-tested (in the real world) FOSS solutions. In general, closed-source vendor-proprietary code is dreadful.

Don't do it (-1, Offtopic)

LordNite (65590) | about 5 months ago | (#46413297)

De-compilation is at best a violation of your license to use the library, forfeiting your ability to use it, and at worst could be a violation of the anti-circumvention clause of the DMCA, which could land you in court or in jail.

Re:Don't do it (1)

wiredlogic (135348) | about 5 months ago | (#46413647)

Reverse engineering is legal in the US. If you only gain knowledge of internal workings and don't reproduce copyrighted or patented code then there are no damages a vendor can pin on you even if it violates a restrictive license. The worse they can do is revoke the license and force your management to select a better vendor.

Re:Don't do it (0)

Anonymous Coward | about 5 months ago | (#46414829)

Doesn't matter. Whatever you do on your own computer to software on your own computer superceeds whatever the license says. Now if that software has to inter-operate with a server (as in the client-server relationship of a MMORPG) then you should think carefully about what you learn, it will come back to bite you very hard. It doesn't matter if the data you learn about is in the clear (eg text files, xml) the fact that you know about it and communicate to others about it violates the license.

Re:Don't do it (0)

Anonymous Coward | about 4 months ago | (#46476239)

Wrong corporate whore

This sucks (1, Insightful)

ChrisMaple (607946) | about 5 months ago | (#46413321)

Beta is worthless. I'm out of here, and it will be a long time until I even look here again.

Re:This sucks (1)

satuon (1822492) | about 5 months ago | (#46416731)

Is it still a thing? I get Slashdot classic right now, and I thought they had given up on this thing. See how it looks for me - http://imgur.com/k8JEJsU [imgur.com]

Re:This sucks (0)

Anonymous Coward | about 5 months ago | (#46417625)

Have you cleared cookies?

I got the impression that they remember your opt out of beta and doesn't redirect you there after you have said no.
It is still an issue if you install a new browser or start up a new system.

Adoption (4, Interesting)

Dan East (318230) | about 5 months ago | (#46413331)

Committing to a 3rd party library is a lot like adopting a child. It's a long term commitment that's not easily broken, and you can't ever have a thorough understanding of what the relationship will be like ahead of time. I started a long post about the 3 main reasons for going with a 3rd party library, but decided to delete my long-winded rant. I'll just say that for the most part it comes down to saving time (and thus possibly money). You're rolling the dice and hoping at the end of the day (whenever that is - 5 years from now, 10 years from now?) simply utilizing a 3rd party library will have saved you time and money.

I think I have a hard time with commitment (as in platforms, OSs, and 3rd party libraries), and that's probably to do with the number of platforms I've been involved with over the years, and the number that are now dead and gone. If you are the type to embrace and commit (like "I love Microsoft and I love C# and I'm going to jump in with both feet and that will be my universe") then sure, go ahead and use as many 3rd party libraries as you can. If you hope to have any kind of future portability of your code (as in compiling versions for Windows, iOS, OSX, Android, Linux) then you are entirely at the mercy of those 3rd parry libraries and what they will or won't support down the road. I mainly write code for myself (my own products I market), thus I consider the code I write as an investment. That is why I primarily use C++, because it is the only language I can create native applications in for all the platforms I just named (and more), and also why I look for public domain code or libraries with licensing and source code availability so I will know my future using that library is assured (I can build for other platforms, even if that means doing some work porting the code a bit).

I know that's not really answering you question ("How can I know if I can trust a 3rd party library"), and is more an answer to the question "Should I be using 3rd party libraries in the first place?"

Re:Adoption (1)

Anonymous Coward | about 5 months ago | (#46415741)

I'm pretty sure you can create native applications in C# for all the platforms you named.

Re:Adoption (0)

Anonymous Coward | about 4 months ago | (#46425621)

I'm pretty sure you don't know what the word "native" means in this context.

Java tools (2)

Guus.der.Kinderen (774520) | about 5 months ago | (#46413335)

Two tools that I use regularly to check Java artifacts: FindBugs: http://findbugs.sourceforge.ne... [sourceforge.net] OWASP Dependency Check: https://www.owasp.org/index.ph... [owasp.org]

HP Fortify (0)

Anonymous Coward | about 5 months ago | (#46415483)

I used FindBugs also, and then run it through HP Fortify, once everything looks clean.

http://www8.hp.com/ca/en/software-solutions/software.html?compURI=1338812

Defensive in depth (1)

somedude69 (3564585) | about 5 months ago | (#46413347)

You don't use only one tool. Look at id software for example (when carmack worked there), they used three (3!) different static code analysis tools on their code, besides the compiler itself. That's quality, and that's something which attracts customers which is looking for quality.

Re:Defensive in depth (1)

somedude69 (3564585) | about 5 months ago | (#46413459)

Although, I would be happy if more than maybe 10% of all programmers cared about compiler errors and warnings at all. Static code analysis tools are the next step:
1. Make the code compile (what!!!, I'm not allowed to commit uncompilable code to my team mates???).
2. Make the code compile, without warnings (when it does, enable 'treat warnings as errors').
3. Make the code compile, without any analysis warnings.
4. Make all unit tests pass.
5. Make all system tests pass (in the test/staging environment).

Yes, using CI is of course something any developer *always* use year 2014. Even when coding your own 'hello world'. Else your doing it wrong(tm).

No source? (0)

thetagger (1057066) | about 5 months ago | (#46413361)

Sorry for the radical answer, but if you don't have the source code you should assume it's unsafe and backdoored.

Re:No source? (0)

Anonymous Coward | about 5 months ago | (#46414535)

Winner. Please close this discussion, nothing more needs to be said.

privatization strategy (-1, Offtopic)

globaljustin (574257) | about 5 months ago | (#46413365)

**Libraries work just fine**

you don't need TED-talk style "innovation"...the problem isn't with libraries...it's with the GOP politicians who gut their funding then say they are not popular, then hook up an "innovative" private company to do for 3x the cost to the taxpayer and less services than what the original library did

here's the steps:

1. Cut funding from library via policy (usually justified by a need for 'budget cuts')
2. People use library less b/c library can't offer as many services
3. Data shows people don't use the library as much b/c it lacks X services
4. GOP connected *private company* uses PR to place stories in local newspaper about "new tech innovation" that will make the library "cool" again
5. Local government gives private company multi-year contract
6. Politician gets kickback
7. Taxpayers get **less services** for **more money** with **less accountability**

that's it...that's what's happening here..."3rd Party Library" my ass

Re:privatization strategy (0)

Anonymous Coward | about 5 months ago | (#46413409)

Wow, just wow. I know the left is always on the attack and completely braindead, but....this is reaching new levels.

Re:privatization strategy (0)

Anonymous Coward | about 5 months ago | (#46413561)

Maybe he is a bot. That is actually a good topic to discuss but isn't what's being discussed here.

not a bot (1)

globaljustin (574257) | about 5 months ago | (#46414553)

i'm an idiot...not a bot...just an idiot

gotta be an all-time "did not read past the headline" situation for me...TFA is about...um software libraries

gah...sorry

Re:privatization strategy (0)

Jeff Flanagan (2981883) | about 5 months ago | (#46413809)

Why would you think "the left" is always on the attack and completely brain-dead when it's right-wing media that exists to keep idiots clueless, outraged, and hateful toward intelligent people?

"the left" you decry is just normal people from outside the ignorant right-wing bubble.

Write Your Own (0)

Anonymous Coward | about 5 months ago | (#46413371)

If the function is anything but trivial and not open source, have low level devs write it and get approved by a higher up. Then you know exactly what, how, and why. It gives you independence and you can fix problems on your schedule, and not have to work around 3rd party flaws found in the future. Especially important for db calls, etc. May seem like re-inventing the wheel but it will pay off in the long run. But if you only do quick and dirty programming I can see why you would think this a bad idea.

FYI: FxCop (4, Informative)

MobyDisk (75490) | about 5 months ago | (#46413421)

For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework

FxCop is still under active development and ships with Visual Studio 2010, 2012, and 2013. They merely changed the name to "Code Analysis"
http://blogs.msdn.com/b/visual... [msdn.com]

Fortify SCA (2)

dougTheRug (649069) | about 5 months ago | (#46413435)

in my day job I work for Fortify. You can contact the developers of this library and request that they use static analysis product on their software, or request a security review from a 3rd party. We would for sure catch those SQL injections and more. But we would need the original source code. You can probe for things from the binary, but the results don't come back in a way that is very actionable for the developers. As for your predicament: I think you would be better off writing your own library, rather than putting the insecure one to work.

Sloppy type conversions (2)

wiredlogic (135348) | about 5 months ago | (#46413569)

Don't expect .NET decompilers to faithfully reproduce statements as they were in the original code. What you get is functionally equivalent to the original source but it will have been munged by two tools along the way. It isn't necessarily indicative of bad coding practices. Higher level deficiencies like the SQL processing cited will still be obvious and the tools won't impact poor design decisions.

Re:Sloppy type conversions (1)

Anonymous Coward | about 5 months ago | (#46413789)

This should be modded higher. Judging the code quality based on the disassembled code is almost impossible.

The compiler can make optimizations and reorder code based on what it knows is possible / impossible with the code paths. This can end up looking like very poorly written code even if what was originally written was very well structured and conforming to best practices.

Even String concatenation for SQL calls is not necessarily horrible depending on the types and / or validation performed. Assembling a sql query to fetch a record by numeric id using string concatenation will not generally lead to a security vulnerability (assuming the numeric id being concatenated is an int object). Not best practices by any means, but also not the end of the world.

Re:Sloppy type conversions (0)

Anonymous Coward | about 5 months ago | (#46414591)

Stepping back for a sec, this is mind boggling to me. So in the closed source world you basically just close your eyes and hope there's not a problem when you link? Because if there is, it's absolute mercy, you have no choice but to beg the vendor to fix it? That's gotta be 8 hours a day in pure hell.

I know this sounds trollish but really think about it, how do you guys get anything productive done in the MS world?

Re:Sloppy type conversions (0)

Anonymous Coward | about 5 months ago | (#46415629)

We don't waste our days wanking to furry porn like you freetards?

Re:Sloppy type conversions (1)

coolsnowmen (695297) | about 4 months ago | (#46428581)

HAHAHA, if that is how you really feel, how did you even get this far on /. ?

Oh, praytell, what kind of mainstream porn would you find acceptable for me to wank to.

That's an easy one (2)

Minwee (522556) | about 5 months ago | (#46413591)

In situations like this I usually recommend arson.

I don't have a favorite (1)

JMZero (449047) | about 5 months ago | (#46413659)

And haven't found any that are terribly impressive in their abilities. They'll catch certain kinds of problems, but tend to lose their way pretty fast in more complicated code. Anyway, this list might help start you out in the right direction:

http://en.wikipedia.org/wiki/L... [wikipedia.org]

Many Eyes (3, Insightful)

Jaime2 (824950) | about 5 months ago | (#46413723)

Good security comes from a lot of people's testing and input. If you look investigate a product, you will only be able to categorize it into two categories: "utterly craptastic" and "probably utterly craptastic". The only way to be assured of good quality is to use libraries that a lot of people use and have had success with. Don't bother looking at the binary, look at the reputation.

Re:Many Eyes (1)

FormOfActionBanana (966779) | about 5 months ago | (#46415951)

That's utterly crap advice. Since a lot of softwares in popular, active use have critical vulnerabilities.

The example quoted just above (http://ask.slashdot.org/comments.pl?sid=4862577&cid=46414687) in which nobody got the sarcasm... says:

You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

He was referring to https://www.gitorious.org/gnut... [gitorious.org] and https://www.imperialviolet.org... [imperialviolet.org] , not to mention http://bsd.slashdot.org/story/... [slashdot.org] which also sat unnoticed for years.

"Slashdot ... tools for analyzing .NET and Java" (0)

tlambert (566799) | about 5 months ago | (#46413755)

"Slashdot ... tools for analyzing .NET and Java"

I am partial to "rm"; I have a couple of friends who prefer "unlink", and one friend who prefers "cp /dev/null ".

Seriously, why do you think *anyone* other than "security consultants" analyzes binary libraries? Why do you think FXCop hasn't been updated?

ILSpy (1)

Dwedit (232252) | about 5 months ago | (#46413827)

This is not a security analyzer, but ILSpy [ilspy.net] is the .NET decompiler that I currently use. Red Gate .NET Reflector went commercial only, so this is what's left.

Re:ILSpy (1)

hermitdev (2792385) | about 4 months ago | (#46419999)

Another free option for .Net is jetBeans dotPeak. It's worked fairly well for me.

In contrast to masturbation... (0)

Anonymous Coward | about 5 months ago | (#46413895)

everybody says they do it, but none of us really do.

jad -p (0)

Anonymous Coward | about 5 months ago | (#46414267)

TFA author knows how to decompile .NET and executing the subject of this message decompiles java so just do that if you really care about the quality of a library then you can use eyeballs or any number of analysis tools.

More important than perceived code quality in my view is ability to get problems fixed with whatever library you select. It really sucks to release product and field bugs you are in no position to do anything about.

Re:jad -p (0)

Anonymous Coward | about 4 months ago | (#46477367)

Sometimes you can add a trampoline to at least fix what was done incorrectly. As long as you can detect the bug.

IOW: rootkit it.

Forget about legal (0)

Anonymous Coward | about 5 months ago | (#46414671)

Here's the thing.

I think nothing of reverse engineering, decompiling, deobfucation, or deconstructing someone elses code, animation, pictures,music, etc. I don't care if it's legal or not, but I'm not going to redistribute what I learn from doing so. All is fair when learning (including piracy and license violations,) but when you decide to make money from it, you either write your own clean implementation, or you find someone who wrote something that works for you.

For example. zlib and gzip/pigz is open source, and easily used without reverse engineering. Many Javascript libraries are obsfucated, but I can still figure them out, and would never pay money for the sloppy things. So when it comes to libraries and frameworks that just wrap existing functionality, throw away the framework and write your own. I some cases there's a better performance tradeoff for doing so.

In respect to Java and C# .NET, please quit using these languages if you need to rely on wrappers and libraries outside of their core libraries. There is a substantial difference between "I think this library is insecure" and "I think this library just does things in a way I wouldn't do", in the former case, if it's not open source, then quit using it and write your own. In the latter, quit complaining and write your own.

The worst code I encounter is straight C code linked by another library, that does little more than return(x);

rm - just rm (1)

SpaceLifeForm (228190) | about 5 months ago | (#46415561)

Don't waste your time, just delete them. The probability that they don't have security problems is nearly nil.

FxCop (0)

Anonymous Coward | about 5 months ago | (#46415567)

FxCop is now built into Visual Studio. It's called Static Analysis and it can be invoked against a .NET assembly using the command line interface or directly against source code in Visual Studio. Another (extremely expensive) option is HP Fortify.

.Nyet ! (1)

BlazingATrail (3112385) | about 5 months ago | (#46416155)

.NET, closed source library.. (munching popcorn).. you poor thing. what did you expect was going to happen ?

Re:.Nyet ! (1)

whitedsepdivine (1491991) | about 5 months ago | (#46417543)

You do know that isn't true. Microsoft has open sourced a lot of their primary libraries.

Re:.Nyet ! (1)

BlazingATrail (3112385) | about 4 months ago | (#46425239)

Are linux versions available? Can I get Windows for free? sorry but Micro$oft PR doesn't work here

And? (1)

Tablizer (95088) | about 5 months ago | (#46416175)

Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

Okay, but what were the unexpected things you found?

code analysis (1)

chentiangemalc (1710624) | about 5 months ago | (#46416791)

For .NET libraries I use .NET reflector., and can integrate into real time debugging with Visual Studio. FxCop is no longer needed as its built into Visual Studio, run Code Analysis option. For analyzing Java Libraries I like free tool jd2gui. For native libraries on windows I like IDA Pro/OllyDbg/WinDbg/AppVerifier and the Windows App Certification kit in Windows 8.1 SDK.

Hp Fortify (1)

whitedsepdivine (1491991) | about 5 months ago | (#46417487)

http://www8.hp.com/in/en/softw... [hp.com] This product scans yours and third party libraries for security problems. It doesn't scan for standards or performance. For performance you can use red gate ants, but there isn't anything for standards.

Guidelines not Software Tools (1)

cyberhooligan77 (2612877) | about 4 months ago | (#46420173)

You mention "Tools", did you mean "Software Tools". And, you have to use a decompiler.

I think, "Reviewing", in this case, means more like guidelines & I.T. (rules) policies.

Things, you may want to consider:

* Does a library provides source code ? (No Source Code, preferably, avoided) If you have to pay a extra, for the source code, then choose no library, or pay for the source code, but, dont buy propertary libraries without source code or support.

* Does a library is for a particular programming language or programming enviroment, or several ?

If it's for several programming languages, make sure can be compiled, loaded, or integrated to other languages.

* Does a library provides documentation, both, as files, and web ?

I have deal with several libraries whom lack one or another. Don't trust a library that doesn't have files independent of web. There are many great software libraries, where it only has web documentation. When a winter storm arrives,say "good bye" Internet, and say "good bye" to documentation. The same goes if a hacker or virus attack the documentation server, or a technical malfunction at the network or server.

Web documentation is good, because sometimes its updated regularly. But, don't count to have available all time. Some developers just take the comments of the source code & generate both, we pages, & local files. And, sometimes, this is helpful.

* Does a third party library provides support ?

The answer is similar to the previous answer. Open & Free Software can be great, but, sometimes, lacks this, because, many developers cannot provide full time support. (Unless paid by companies or groups like Apache or Google ).

* Does a third party library provides an A.P.I., or its structured. ?

A good software can be difficult to integrate with other software if its not structured, by classes, modules, or functions.

Just my [spartan] 2 silver cents [coins].

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...