• kinther@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      15 days ago

      I know you’re be facetious here and I’m ignorant to actual application security methodology. I do have to ask though, when you are looking for something in code that could be a security risk, isn’t it possible to look for methods or functions used to lookup DNS, outbound network calls, or even libraries used to obfuscate code? It seems to me that most programmers wouldn’t go through lengths to obfuscate their code and would want it to be readable/maintainable, so doing so would be a red flag.

      Obviously no one is going to search for “evil spyware” when auditing code. Your point stands it is not as simple as that.

      • PotatoesFall@discuss.tchncs.de
        link
        fedilink
        arrow-up
        3
        ·
        15 days ago

        You’re totally right, I just think you underestimate how long it takes to rigorously audit a whole codebase. Let’s say you look for outvound network calls. Now you need to figure out for all of them whether they are malicious, which will require specific domain knowledge. And that’s assuming you find them all, the network call could be hidden away in a dependency. None of this is impossible but it requires a serious effort.