On 5 Feb 2018, at 5:21pm, Drago, William @ CSG - NARDA-MITEQ
> I've been using/loving SQLite for years, but the use of open source software
> is highly discouraged where I work, and now I have to prove to our IT dept.
> that SQLite is reliable and secure. The reliable part is easy because there
> is enough information on the SQLite website about testing, but what about
> security? How can I convince the auditors that SQLite is not stealing
> corporate secrets and spreading viruses?
What's "CSG" ? Chief of Security Group ?
The ideal way would seem to be that you download the source code and compile it
yourself. Which is actually the preferred way to use SQLite in the first
place. On the download page download the top item "C source code as an
amalgamation". You get your own copy of the source code to inspect and compile
as you wish. They can spend as long as they want looking for concealed IP
addresses and system calls.
> Is there a statement somewhere on the website that guarantees that copies of
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all
> forms of spyware/malware/viruses/etc?
That's harder. How does your organisation inspect other pre-compiled libraries
? Does it have established uniform standards or are you suddenly being asked
to make up your own ?
You can download the DLL from the SQLite site, and verify that the checksum is
correct. You can compile the DLL yourself (you may need Joe's help) and check
to see it's a byte-for-byte copy. You can use tools which inspect the DLL and
show its dependencies. You won't find anything in there that has internet
access. That's a pretty good first step since you can't steal information
without internet access, and most vulnerability toolkits take their
instructions over the internet.
If you have specific questions, post them here. Or pay my consultancy rate.
sqlite-users mailing list