How to check/test security issues of freeware?

Question

My company is implementing software whitelisting processes. There are bunches of freeware needing security testing. Actually, it just requires a preliminary evaluation rather than a deep analysis.

How can we assess the security of freeware?

Answer 1

Almost the same thing as what can be done for paid softwares: examine the reputation of the vendor/software, and evaluate the risk in adding it to white list against the cost of forbidding it.

For example, Postfix, OpenBSD, Spring framework or LibreOffice are all freewares with an excellent reputation, even better that many commercial tools. The risk of using them is very low. But if your white list already contains concurrent softwares (equivalent features) adding them to the white list with no real reason will only add more work in maintaining the list of valid versions - said differently it would not be different than what you should do for IDEA, Windows or Microsoft Outlook.

On the other hand, you can find freewares with little reputation, simple because few people use them. The first question to ask is whether they are correctly maintained. If serious bugs have been pending for a long time it is a hint that you should avoid it... But it is the same for niche commercial softwares.

The last point that can be done is an audit of the code. I gave it last despite it being IMHO what can give the most information on the quality and security of the software. But it is very expensive in time or money, the reason why I would be reluctant to use it. But if you want touse a little known freeware for a mission critical operation, you should considere that.

For your last question, I would not trust tools nor any single website for assessing the security of a software. Of course if an anti-malware chokes on it you should keep away, but finding no viruses is not a sufficient condition. For websites, I try to find converging hints to establish a reputation. And I also try to use the reputation of the site or the author. For example when a high rep user from Information Security says something, I trust that much more that what I can find on my ISP forums :-) . But we are close to fuzzy logic at that point.