Is there an advantage in languages that package (.dll, .class, .exe) for scripting languages (.php, .py, .js)?

Asked

Viewed 143 times

1

There is some advantage in using languages like Java, . NET, C, C++ which generate a product in which it becomes more difficult to change?

For example, if I get a .class, or a .jar, there would be some advantage in matters of security, privacy, copyrights, code control, or maintenance in relation to the use of scripts in which the source is opened on the server in production?

As is the case with .php, or .js?

2 answers

3


Everything has advantages and disadvantages, and many aspects can be analyzed, but I will focus on the security approach, which seems to be your main concern.

From this point, there is the advantage of hindering access to your source code. I say make it difficult because if you look you will easily find decompilators for most languages, including .NET and Java, who have been quoted.

Now of course it is advantageous to compile the code, from a security point of view this gives a more protection.

Let’s make an analogy to think if it’s worth the effort: your Wifi network can be hacked, just a talented person want to, now, raise the difficulty, using a more complex password algorithm, avoid passwords like "123456", put additional protections, will greatly reduce the chance of your network being hacked, does not guarantee 100%, but makes it difficult, it is the same thing with the code, rather than a whole open source is compiled code, someone will already need an extra knowledge to do a reverse engineering. And speaking of security, you can not only compile use one Obfuscator, that will further complicate this task.

It is still possible to decompile, especially in platform languages .NET and Java, which are executed on a layer of framework, and so are further away from machine native code, which facilitates reverse engineering, in addition to compiled code containing metadata, which are more data to help in the reverse engineering process.

A code compiled in language C/C++ for example it is more complex to be decompiled, to do a reverse engineering, as it is compiled much closer to the machine language of the computer.

Additionally, the compiled code runs faster on the computer because it does not need to be interpreted at runtime, but at a disadvantage it needs to be compiled against the architecture of the machine that will run to get the maximum performance, while the interpreted can be placed and the interpreter does this.

Just as an additional comment, compiling the code does not effectively protect resources such as strings (texts, messages, etc.) in your code, which can eventually even be changed without decompiling the code, so if the point is security, saving these resources in a safer way is a good practice (encrypt, serialize, mimic, etc.), which can even be done with scripting languages.

  • a bundled code (with Metadata) would not be a guarantee that a specific version of the source is deployed in production, while with script such as php and js this in practice becomes almost impossible to guarantee?

  • That doesn’t guarantee it, but it decreases the chance of changing the version. who does this needs to have the source code, change, compile and put into production, much more difficult than someone access the code on the server, open in a text editor any and change, but still is not 100% guaranteed. by the way, the access to the server must be well controlled, independent of the code I was there, but yes, an open source script is easier to change because the source is there.

2

Yes. And there are drawbacks too, as in everything.

In security issue no, it may be slightly more difficult (but in all cases it is possible to access the source code, only it will not be a code as readable, but still extraordinarily easy for those who know break security.

Just to be clear, the supposed protection is minimal, it’s not something like making a password much harder to break, for those who know how to do it does not even make a difference the way it is "protected", it will lose very few minutes (who knows seconds) It’ll take days to make the most of what you’ve accomplished. And it is possible to obfuscate code on scripts in such a way that it may be as difficult as other means of "protecting" the source (actually it might be more difficult because you can do a personalized way that would make it a little more difficult to do it since she would have to learn how you overshadowed it and not a standardized form.

This technique has a name and can even be used, but can not be the only security, it is extremely weak. Important to read this question about protecting source code.

If you’re worried about someone stealing your code, of course it’s easier on scripts, I mean, everyone in JS is like this and, contrary to what people think, it doesn’t change anything important for her (people have illusions about code theft, this will only happen if the code is very good, which is almost never, and will only be done by someone who won’t even know how to use it properly). Of course if done wrong the fact that everything is closed will help a little bit, if you do it right makes no difference.

If the concern is that you have passwords, tokens or other data that cannot be disclosed, the problem is already there, you cannot have that information in your code. Yeah, a lot of people do it because they don’t care about security, but it’s wrong.

If the language of script is used to make script None of that matters because it’s something that doesn’t produce anything that relevant or has nothing that is secret. If it’s used to make applications there’s so much wrong with it that this is the least of the problems.

Let’s differentiate the languages of script. See the question Using client validation is sufficient?. It’s not just about validation, everything that’s running on one browser cannot be trusted, even if it does not have a JS code. Actually even if it can only be accessed externally and does not have an HTML. So if you put some information in JS that can be leveraged to do something wrong, you already have something extremely insecure. Same goes, just to quote an example, you have an ERP on someone’s desktop full of code .py. You having PHP code may not be such a big problem. If someone breaks in or naturally accesses your server it will be a problem if they want to get information there, but without this entry there is no big problem. Of course it’s one more exposure.

In terms of privacy I think it has no advantage, nor do I know if you used that word properly (it may be that you used because you put passwords in the code, but this is not about privacy, it seems an unrelated subject. And the other terms used don’t seem to have anything to do with.

Maintenance does not influence, although some people may find it easier to do tricks in languages of script open (there are languages of scripts which are or may be encapsulated in any container And there’s this so-called "protection"). Then you decide whether you can do direct gambiarras in production helps or disrupts maintenance. I have a very clear position, but some people may find that a minimum productivity gain by not having to compile is important (in general the person ignores how much that had to be thought, tested and go through a good evaluation that took much more time and that this gain of not needing to compile is minimal, only provokes perception that was faster).

Have it all in one container, especially if it can be run by OS directly, it makes your application more reliable (not safe) after all it does not have a lot of file that can be lost or manipulated accidentally. There are other advantages that usually this type of language possesses, but it seems that it is not the focus of the question.

  • container would be a Wildfly? or a . exe generated by the C compiler? How would it be more reliable and could be executed directly by the OS in relation to another case?

  • Anything, but I think more of an executable. It is more reliable because it is one thing, not several parts that can be lost

  • Isn’t the fact that you can accidentally manipulate code a strong argument to make a scripting language difficult to track? for example, have the assurance that what is actually in production is the version x?

  • I have no idea what you’re talking about without details.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.