Cybersecurity

7370 readers

106 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Do you actually audit open source projects you download? (lemmy.ml)

submitted 1 week ago by OhVenus_Baby@lemmy.ml to c/cybersecurity@sh.itjust.works

9 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/30846707

cross-posted from: https://lemmy.ml/post/30846701

The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let's hear it!

top 9 comments

sorted by: hot top controversial new old

[–] sugar_in_your_tea@sh.itjust.works 9 points 1 week ago

I don't do a full audit, but I certainly make sure the project is reasonably active before using it. I'll look at:

recent commits
variety of contributors
activity on issues and pull requests from maintainers

That only takes a few min and I think catches the most important issues.

[–] Epimetheus@feddit.online 7 points 1 week ago (2 children)

I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.

But let's be clear: I have never done an audit myself and I'm totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn't know. This has happened by the way, I don't remember which project it was, but it was pretty big - openssl or something.

[–] beastlykings@sh.itjust.works 1 points 6 days ago

This is me, except even more trusting 🤷‍♂️

[–] brotundspiele@sh.itjust.works 6 points 1 week ago

It was xz, a software most people probably use without even knowing it as it is a library which is included in a lot of other projects. The vulnerability targeted openssh which is one of these users.

That being said: Do you also audit the dependencies of the software you're installing? I usually don't, unless a customer pays me for it. However, before I pull any dependency into one of my own projects I take a look at it's dependencies. If a library for a simple task brings tons of dependencies with it, I rather not use it.

[–] Lazycog@sopuli.xyz 5 points 1 week ago

If it's something that is not very popular/known I do actually look at the code, but never all of it.

I check:

most recent commits
for something that might have been hidden before one of the releases
deeper into utility files
look for suspicious patterns in code that might be trying to hide something. Mostly for/in external network call related code

This is of course very superficial and in general I try to avoid obscure projects that are not popular and well known.

[–] linearchaos@lemmy.world 3 points 1 week ago

I mean, I might catch something intended and openly malicious.

If it comes down to a buffer overflow somewhere or an exploitable race condition, I'm probably not going to see it anyway.

[–] sun_is_ra@sh.itjust.works 3 points 1 week ago

If its packaged usually I trust. If its code with few downloads I audit if I know the language else I run as different user

[–] x00z@lemmy.world 2 points 1 week ago

I often take a small look around if it's smaller projects yes.

[–] Reddfugee42@lemmy.world 0 points 1 week ago

This is something coding AI is getting better at