> On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ 
> <william.dr...@l3t.com> wrote:
> 
> The reliable part is easy because there is enough information on the SQLite 
> website about testing, but what about security?

Open source software is more secure than closed source, since the source code 
can be reviewed and audited. (In the security field, closed-source 
cryptographic software isn’t even taken seriously since it’s not possible to 
verify its claims, just as scientific results need peer review and independent 
confirmation.)

>  How can I convince the auditors that SQLite is not stealing corporate 
> secrets and spreading viruses?

You can very easily prove that SQLite contains no networking code, so it’s 
incapable of accessing any network. Just search through sqlite3.c looking for 
the names of the system calls needed to open a socket; they don’t appear. Or 
more rigorously, use a (platform-specific) tool to dump the list of external 
functions called by the compiled SQLite library.

It should also be fairly easy to look through the code to prove that SQLite 
doesn’t open any files other than the ones specifically requested by the caller 
(plus the -wal and -shm side files) so it can’t be stealing data or writing 
viruses into system software.

I don’t know if this will convince your IT management though, because if 
they’re against open source they must be remarkably backward...

—Jens
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to