IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [opensource]

Open source is a term used for software whose source code is made available. Software distributed under Open source license allow the users to study, debug and improve the software with certain rights preserved for the copyright holder.

165 questions
7
votes
2 answers

In Visual Studio, what are the risks of simply opening an untrusted project? What are the mitigations?

I'm looking at the source code of some potentially hostile code. As usual, VS 2012 is giving me the security warning: "You should only open projects from a trustworthy source" ... "ask me for every project in this solution" If I press OK,…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
3 answers

Could I delete .csr files once the key was signed by CA

I'm creating my own openvpn server. The Certificate authority is located on a separated host. There is two kind of clients: which that just send a .csr and to which i send the .crt as an answer and the other which I build myself. In the second case,…
F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
7
votes
3 answers

Are there any free static analysis tools for C# / .NET code

A client recently asked me to perform a code review on C# code. As an independent contractor I was wondering what are the automated solutions out there where I would not have to break the bank to carry out similar assignments. So far I have come…
Epoch Win
  • 922
  • 2
  • 7
  • 14
7
votes
3 answers

How can Linux be secure if it allows for open source contributions from the public?

From my brief understanding of Linux, developers from around the globe submit code to be included into a Linux update. It's then reviewed by security administrators. When approved, it's passed onto Linus, the founder of Linux for his final…
Michael d
  • 487
  • 5
  • 8
7
votes
3 answers

Before a piece of software is approved to go into a repo, what security checks does it go through?

I use Debian Jessie, and the Debian repo has many open source packages. I understand there's a process that checks these before they get used in the repository. While I understand it's impossible to find every bug (heartbleed, for example), I would…
user55890
7
votes
2 answers

Searching vulnerabilities via similar code comparison. Is it a viable attack vector?

Consider the following scenario: the attacker scans (optimally automatically) open codebases (eg. GitHub) for vulnerable code fragments by checking bug reports and patches. the attacker scans for similar code fragments in other sources. (i.e. other…
goteguru
  • 643
  • 3
  • 11
6
votes
3 answers

Does (J-)SOX Forbid the Use of Open Source Software?

With Regard to Sarbanes Oxley and particularly The Japanese version thereof: Is it true that in order to comply with (J-)SOX you must have a support contract - and therefore a responsible party - for any software used within the enterprise? If that…
sholsinger
  • 161
  • 3
6
votes
2 answers

Can I trust a security hash implementation after testing it with random inputs against another implementation?

Let's say I want to use a security hashing algorithm, like bcrypt, and I want to use a young bcrypt implementation, e.g. called libfancybcrypt, instead of an well established implementation. Of course, I can simply generate a few thousand or…
Lukas Kalbertodt
  • 293
  • 1
  • 7
6
votes
2 answers

Drupal Disputed CVE Five Year Tempest – Open Source Security Shortfall?

Can someone add context to the subject issue? At first glance it appears to me this issue represents a fundamental shortfall in the forces encouraging secure coding in open source development. Is that the case and/or is this example common or a…
zedman9991
  • 3,377
  • 15
  • 22
6
votes
1 answer

Is there a database with XSS vectors, possible reference and test information?

I recently had the idea to develop a public database in which unique cross-site scripting (XSS) vectors will be registered and get a reference assigned similar to the CVE system. I made a local PoC already and registered a suitable domain to use…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
6
votes
3 answers

Making database code open source

I am building a web app. It is currently not open source, but I am considering making it open source, so that others can fix bugs, improve it, so that others are not suspicious of my motives (fun to code & to create a useful tool for others - not…
WelshGandalf
  • 63
  • 5
6
votes
3 answers

How much can we trust open source implementations of crypto (security) libraries?

In one of my projects I was choosing bcrypt or PBKDF2 for the KDF for passwords. I have read that bcrypt is generally more advanced and scrypt is even better. But I am using .NET platform where bcrypt/scrypt are not available from Microsoft though…
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
5
votes
3 answers

Open source web application penetration testing community

I do web development for a living but my real passion is security. I have worked with countless open source web application/framework and I have found vulnerabilities in most of them. The main cause of those vulnerabilities is a lack of security…
Cut Copy
  • 109
  • 1
  • 5
5
votes
2 answers

How secure is EncFS compared to TrueCrypt?

If I choose the paranoia option for EncFS and for TrueCrypt I create containers using the encryption algorithm AES-Twofish-Serpent and the Hash Algorithm Whirlpool. Are both methods equally secure, or is 1 method more secure than the other? As…
oshirowanen
  • 705
  • 3
  • 10
  • 21
5
votes
2 answers

What are good free opensource tools for helping in manual source code reviews?

I know tools that help in identifying security vulnerabilities in source code (static analysis tools), like Findbugs for Java or Pixy for PHP, but I would like to know good free opensource tools that help in the task of documenting and following…
kinunt
  • 2,759
  • 2
  • 23
  • 30
1 2
3
10 11