Jump to content

Security questions for AutoIT approval

BradBurke
 Share

Recommended Posts

BradBurke Seeker

BradBurke

Posted
Posted

My company's IT department wants to review how secure AutoIT is before approving its use. 

Do you have any documentation that addresses any data that your company stores about user created scripts?

How secure are your scripts that are compiled as executables?

Are there any security concerns we need to be aware of while developing and running scripts.

What secure data do the logs store?

How do we know your source code is not transferring data behind the scenes?

Has your software had any security audits?

Anything else we should know about?

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted
4 minutes ago, BradBurke said:

Anything else we should know about?

With all respect, but what are you expecting as answer to your dumped list of questions of which several are totally void?
Did you do any research yourself before asking as many are asked before and answered.
... and to be honest: How much trust should one put in the creators answer anyways?

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
Musashi Universalist

Musashi

Posted
Posted

@BradBurke

Just out of curiosity, have you also sent this list of questions to, say, Microsoft, regarding the use of .Net development software. If so, I would be interested in the answer (if you ever received one).

33 minutes ago, BradBurke said:

How secure are your scripts that are compiled as executables?

Are there any security concerns we need to be aware of while developing and running scripts.

AutoIt scripts compiled as .exe contain, in simple terms, a tokenized version of the source code, along with the appropriate AutoIt Interpreter itself. So you should never store e.g. passwords or other sensitive data in the source code. However, this is explicitly not a weakness of AutoIt, it was simply not designed for this purpose

46 minutes ago, BradBurke said:

How do we know your source code is not transferring data behind the scenes?

You should be far more concerned about what data will be sent from your operating system behind the scenes ;).

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to comment
Share on other sites
argumentum Universalist

argumentum

Posted
Posted
6 hours ago, BradBurke said:

Anything else we should know about?

lol, anyone that can not answer these questions by him/her self, should not be doing that job, as THAT is not the way to get those answers.
There. A free lesson.

( Do click like -or HaHa- if you get to read this )

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted (edited)
13 minutes ago, argumentum said:

( Do click like -or HaHa- if you get to read this )

Soliciting likes?

 

@BradBurke

From my experience and knowledge, AutoIt won't do anything it isn't told to.  So as far as how safe and secure is it, all depends on the script author. 

Edited by spudw2k
Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetrieve SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites
Somerset Universalist

Somerset

Posted
Posted

Lots of people here are just programmers for the fun of it, or a hobby as another way of stating it.

There are professionals and experts in the field of programming over many types of of languages.

If this were a professional company the people in charge would shake your hand, and show you the door as you quickly as you entered.

Who are you?

What company do you work for?

What position do you hold in relation to the company?

etc.
 

 

Link to comment
Share on other sites
Musashi Universalist

Musashi

Posted
Posted
2 hours ago, Somerset said:

Who are you?  What company do you work for?  What position do you hold in relation to the company?

I'm really curious to see if these questions will be answered :lol:.

My assumptions :

Option 1 :
An assistant (f,m,d), who has been tasked by its IT department to take a deeper look at AutoIt. Since it takes some effort to research the answers himself, he simply threw a list of questions into the room. 

Option 2:
'Just' a normal member who wants to appear important (and save some time as well).

Option 3 (low probability) :
The CEO of a global company who wants to use AutoIt for a new world-changing software product ;).

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to comment
Share on other sites
TheDcoder Universalist

TheDcoder

Posted
Posted
On 7/13/2021 at 2:40 AM, Musashi said:

So you should never store e.g. passwords or other sensitive data in the source code. However, this is explicitly not a weakness of AutoIt, it was simply not designed for this purpose

This applies for all code, anything you store in your program can be easily extracted and decrypted... even big companies which specialize in anti-tampering technology fail. This is a fundamental flaw which arises from the fact that you want the machine to know the secret but not the user, in other words, you can't have your cake and eat it too :muttley:

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites
  • 2 weeks later...
argumentum Universalist

argumentum

Posted
Posted
On 7/12/2021 at 11:19 PM, argumentum said:

( Do click like -or HaHa- if you get to read this )

There. The OP did not login yet. Vote for me, "argumentum for moderator 2021". I'd close these type of thread because I'm mean and ... meh. :)

PS: I would not like to be a moderator. I'd kill'em all. :D

PS2: A big thank you to the moderation team. I would live with heartburn doing your job. 

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...