| ▲ | phendrenad2 5 hours ago | |||||||||||||
There's always some mathematician who tries to prove that locks on your doors "won't help" because the universe is infinite. Narrator: it is not | ||||||||||||||
| ▲ | amiga386 4 hours ago | parent | next [-] | |||||||||||||
Deciding to put your resources into something that only a really stupid criminal would be caught by gives you a false sense of security. Literally scanning for just "eval(" is entirely insufficient. You have to execute the code. Therefore you have to demand module authors describe how to execute code, e.g. provide a test suite, which is invoked by the scanner, and require the tests to exercise all lines of code. Provide facilities to control the behaviour of functions outside the module so that this is feasible. This is a lot of work, so nobody wants to do it, so they palm you off with the laziest possible solution - such as literally checking for "eval(" text in the code - which then catches zero malware authors and wastes resources providing help to developers caught as a false positive, meanwhile the malware attacks continue unabated because no effective mechanism to stop them has been put in place. Reminds me of the fraudster who sold fake bomb detectors to people who had a real need to stop bomb attacks. His detectors stopped zero bomb attacks. https://www.bbc.co.uk/news/uk-29459896 | ||||||||||||||
| ||||||||||||||
| ▲ | venturecruelty 11 minutes ago | parent | prev [-] | |||||||||||||
"Hey, we've figured out how to detect security vulnerabilities! We just need to solve the Halting Problem!" | ||||||||||||||