well-known vulnerability scan

Post Reply
User avatar
Zofz
Site Admin
Posts: 87
Joined: Wed Apr 20, 2022 10:13 pm
Location: Cologne, Germany

well-known vulnerability scan

Post by Zofz »

Software developers, beware of a hidden acceptance problem: well-known vulnerability scans.

Larger companies take security seriously and scan incoming software for known vulnerabilities. During one such scan, I received notification that my zofzpcb software contained well-known vulnerabilities. I was grateful to be notified rather than quietly omitted from consideration, but it made me wonder how such vulnerabilities could exist in my code.

Upon investigation, I discovered that the scanner first tested the self-extracting package of the installer, which led to the first hit. I had used an older version of Flexera's InstallShield LE because it was free (and later unexpensive), but since then the price had skyrocketed to several thousand dollars. First reluctant to switch to a new vendor, I gave up and opted for Advanced Installer. However, I argued that zofzPCB was not the installer but the content of it, so I asked the company to scan the content.

This opened Pandora's box. While some files were easy to update, such as my own libraries, others posed greater challenges. For example, the OpenCascade library used by the STEP export required a newer version, but luckily one was available within a few weeks. The biggest problem was the Direct9 "d3dx9_43.dll" file, which I carried in the package for newer PCs. The issue was that Microsoft did not update the DLL and claimed that the updated version was DX10 or DX11. However, using the newer API presented significant differences, such as DXUT no longer being available in DX11 and the new math library being heavily SIMD oriented. Although it was an excellent improvement, it required me to think in SIMD terms and pushed me to optimize my concepts.

In summary, dealing with binary scanning and outdated libraries can be a frustrating and time-consuming process. It's important to stay up-to-date with software and libraries, take a proactive approach to software development, and address any known vulnerabilities as quickly as possible. As I learned firsthand, taking shortcuts to save money or avoiding the hassle of configuration changes can lead to major headaches down the line. By prioritizing security and staying up-to-date, you can develop software that is both reliable and secure.
User avatar
Zofz
Site Admin
Posts: 87
Joined: Wed Apr 20, 2022 10:13 pm
Location: Cologne, Germany

Re: well-known vulnerability scan

Post by Zofz »

Now it is SBOM.
SBOM = software BOM.
So, I am supposed to list the modules in a specific file format, something like the old map file. But to trust it, it would have to be done by some software, and maybe the list should be signed by it.
And now - where is the software for the Visual Studio C++ :?: :?: :?:
Post Reply