On 5 Feb 2018, at 5:21pm, Drago, William @ CSG - NARDA-MITEQ 
<william.dr...@l3t.com> wrote:

> I've been using/loving SQLite for years, but the use of open source software 
> is highly discouraged where I work, and now I have to prove to our IT dept. 
> that SQLite is reliable and secure. The reliable part is easy because there 
> is enough information on the SQLite website about testing, but what about 
> security? How can I convince the auditors that SQLite is not stealing 
> corporate secrets and spreading viruses?

What's "CSG" ?  Chief of Security Group ?

The ideal way would seem to be that you download the source code and compile it 
yourself.  Which is actually the preferred way to use SQLite in the first 
place. On the download page download the top item "C source code as an 
amalgamation".  You get your own copy of the source code to inspect and compile 
as you wish.  They can spend as long as they want looking for concealed IP 
addresses and system calls.

> Is there a statement somewhere on the website that guarantees that copies of 
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all 
> forms of spyware/malware/viruses/etc?

That's harder.  How does your organisation inspect other pre-compiled libraries 
?  Does it have established uniform standards or are you suddenly being asked 
to make up your own ?

You can download the DLL from the SQLite site, and verify that the checksum is 
correct.  You can compile the DLL yourself (you may need Joe's help) and check 
to see it's a byte-for-byte copy.  You can use tools which inspect the DLL and 
show its dependencies.  You won't find anything in there that has internet 
access.  That's a pretty good first step since you can't steal information 
without internet access, and most vulnerability toolkits take their 
instructions over the internet.

If you have specific questions, post them here.  Or pay my consultancy rate.  

sqlite-users mailing list

Reply via email to