Where are the damn unit tests? If it's security code, it should have 100% code coverage, and there should be a white-paper explaining the domain, and there should be 100% domain coverage. Making sure the code works is not enough. You need to be sure there isn't any code that isn't tested. Any code that is not executed by tests is a potential bug. Maybe a potential exploit or even a back-door. It should be deleted with extreme prejudice.
Even if the code works perfectly, it is possible to have glaring security flaws. Like leaving clear-text passwords in memory. Failing to salt. Using a fast hash algorithm instead of a slow, secure one.
If it's custom encryption code, the risk factor goes up by a lot. Most new encryption algorithms are heavily scrutinized by experts before they are used in production. Which is a good thing, because most new encryption algorithms turn out to be crackable.
![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
branchandroot
(no subject)
Date: 2025-05-28 05:55 am (UTC)Even if the code works perfectly, it is possible to have glaring security flaws. Like leaving clear-text passwords in memory. Failing to salt. Using a fast hash algorithm instead of a slow, secure one.
If it's custom encryption code, the risk factor goes up by a lot. Most new encryption algorithms are heavily scrutinized by experts before they are used in production. Which is a good thing, because most new encryption algorithms turn out to be crackable.