Do you audit the code you download before executing it?
Sometimes I wonder how is the life of a person that only executes code after auditing it. Do you do that?
Maybe some Linux gurus have that lifestyle. Once or twice I came across someone saying that he/she only executes code after compiling from source. That sounds impressive, but still does not replaces a source code audit (if the goal is security).
Lately I have been thinking about auditing a greater proportion of the code I execute. I already audit small scripts. Now I am trying to come up with a plan that may enable me to audit more than that.
I asked myself if that is really necessary. I watched some talks done by Bruce Schneier and in one of them he speaks about the importance of auditing source code to detect security flaws and to be secure. If one of the leading experts attests for its need, then it must be, right? Not so fast. He himself concedes that there is an economic element that may make absolute security not desirable, because its cost would be too high. So where to draw the line? Where do you draw your line? Do you audit the code you execute? If you don’t do it yourself, do you pay for it to be done? If not, why not?
Licenses and Credits
Cover image is on public domain and was obtained here.
To the extent possible under law, Anderson N. Nunes has waived all copyright and related or neighboring rights to Do you audit the code you download before executing it?.