Slashdot Mirror
Ask Slashdot: Reviewing 3rd Party Libraries?
Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.
My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
De-compilation is at best a violation of your license to use the library, forfeiting your ability to use it, and at worst could be a violation of the anti-circumvention clause of the DMCA, which could land you in court or in jail.
If it looks like a duck, and quacks like a duck, it must be a duck.
**Libraries work just fine**
you don't need TED-talk style "innovation"...the problem isn't with libraries...it's with the GOP politicians who gut their funding then say they are not popular, then hook up an "innovative" private company to do for 3x the cost to the taxpayer and less services than what the original library did
here's the steps:
1. Cut funding from library via policy (usually justified by a need for 'budget cuts')
2. People use library less b/c library can't offer as many services
3. Data shows people don't use the library as much b/c it lacks X services
4. GOP connected *private company* uses PR to place stories in local newspaper about "new tech innovation" that will make the library "cool" again
5. Local government gives private company multi-year contract
6. Politician gets kickback
7. Taxpayers get **less services** for **more money** with **less accountability**
that's it...that's what's happening here..."3rd Party Library" my ass
Thank you Dave Raggett