How to vet an untrusted open-source project?

4 points

3 years ago

Sometimes you may want to use some software in your project, but the maintainer(s) may have some functional affiliation(s) that makes it difficult to use without significant security assessment effort.

Example here: GlobalProtect is VPN software from Palo Alto Networks, but the maintainer of this open source client is based in China. He may be a fine, upstanding person, the code may be pristine, but there's systemic risk that needs to be bought down.

What are your tools of choice to assess something like this?

https://github.com/yuezk/GlobalProtect-openconnect

3 comments