On 5 Feb 2018, at 5:21pm, Drago, William @ CSG - NARDA-MITEQ <william.dr...@l3t.com> wrote:
> I've been using/loving SQLite for years, but the use of open source software > is highly discouraged where I work, and now I have to prove to our IT dept. > that SQLite is reliable and secure. The reliable part is easy because there > is enough information on the SQLite website about testing, but what about > security? How can I convince the auditors that SQLite is not stealing > corporate secrets and spreading viruses? What's "CSG" ? Chief of Security Group ? The ideal way would seem to be that you download the source code and compile it yourself. Which is actually the preferred way to use SQLite in the first place. On the download page download the top item "C source code as an amalgamation". You get your own copy of the source code to inspect and compile as you wish. They can spend as long as they want looking for concealed IP addresses and system calls. > Is there a statement somewhere on the website that guarantees that copies of > SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all > forms of spyware/malware/viruses/etc? That's harder. How does your organisation inspect other pre-compiled libraries ? Does it have established uniform standards or are you suddenly being asked to make up your own ? You can download the DLL from the SQLite site, and verify that the checksum is correct. You can compile the DLL yourself (you may need Joe's help) and check to see it's a byte-for-byte copy. You can use tools which inspect the DLL and show its dependencies. You won't find anything in there that has internet access. That's a pretty good first step since you can't steal information without internet access, and most vulnerability toolkits take their instructions over the internet. If you have specific questions, post them here. Or pay my consultancy rate. Heh. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
