I’d suggest choosing a mature language with a large number of utilities/libraries available - Java, Python, Rust spring to mind but the graphical shit is really what you’d want to lean hard on a library is. I don’t know enough to say for certain but it sounds like most of your work will be defining objects and how they interact… off the shelf solutions can’t really help with that.

It’s very possible to say positive things about AI around here - you just have some really big gaps in knowledge when it comes to how generative AI functions.

I think you may have speeded to a conclusion.

merges WordPress into the apt repository for grep

watches the world burn

Is this related to highly sensitive PII (like hippa or whatever covers local health-care record treatment)? If so, I’d strongly suggest not doing anything and seeking a remedy from contractual obligations by the vendor (i.e. seek HIPPA Ready software or a vendor willing to make that promise).

If not, you’ll definitely want to focus on data persistence and transmission.

Make sure there aren’t outgoing network calls to fixed locations (if they’re for error reporting to the vendor you can either ask if they can disable the reporting, black hole the reporting with network configuration or carefully inspect the way data gets to that reporting and ensure user data can’t be captured - a common oversight being logging function parameters).

Make sure the persistence is secure by looking at the main persistence module (i.e. a database or flat file) to make sure unnecessary information isn’t being stored, verification only information is being written to persistence through one way hashes, and data that should be two-way encrypted is. Then double check the same stuff with regards to secondary persistence methods - again a huge issue here is logging.

Those two points are where I’d suggest focusing the majority of your effort but, back to the hippa part, make sure you’re comfortable doing this. It’s pretty easy for auditors to be the fall guys if something goes wrong so if you want to be careful one approach is to carefully document what you’ve checked for and how you checked for them then get someone above you to sign off that your level of auditing was sufficient - if shit ever does hit the fan you’ll be less exposed.

For what purposes are you auditing this software. Auditing is always done to prove something is appropriate for some usage and what that audit should involve depends on that usage and, additionally, factors of trust between you and the author.

Would you be comfortable supplying some additional information about what you (or whoever asked you to run the audit) expects out of the audit.

Find a computer problem that you want to solve and focus on technologies that will help you solve it. Traditionally python is considered an excellent learning language due to the wide library support and adherence to most common programming styles - is there any romanticized pet project you’ve got on your brain?

I’m pretty sure that even if systemd is in place you can still use /etc/init.d

The ways to register programs to run at startup vary wildly from platform to platform but they’re all relatively simple. I might suggest you just look into how to do it manually before looking for a library since it’s extremely trivial (at least on windows/Linux - I’m not familiar with how macs do it but I hope it’s the same approach as linux).

This was something I loathe in SQL and it’s something to rightfully call out in other standards.

Look, I get it, the standard writers want to get paid - host conferences, get speaking fees… but publish your fucking standards for free.

I’d suggest rewording the mongoDb line to emphasize familiarity with NoSQL and call out mongoDb as a specific technology in the family. Also, if you have actual RDBMS experience please don’t omit that, it’s something we weight a lot more than just mongo/redis/memcached.

For backend development, you mean? It’s essentially required for front end development (granted you can use a language that compiles into Javascript… also is activeX still a thing or have we killed it off).

Vanishingly small. In Qt that’d have to be an issue in QStringList IIRC.

C++ has no guarantees built into stdlib but frameworks like Qt provide safe access - the ecosystem has options. C++ itself is quite a simple language, most of the power comes out of toolsets and frameworks built on top of it.

Now that it has been identified, it should be an easy fix, at least.

Still, it’s important to remember that Rust is still a relatively young ecosystem and flaws like this exist until we get burned by them.

As someone in a rapidly corporatifying company I’d like to reinforce how insanely hyperbolic that statement was. These rules don’t exist for security reasons, they exist for contractual issues - rules will often be arbitrary and decrease effective security by requiring frequent elevation or encouraging weak credentials.

OP, do what you think is going to help you work most effectively - if you’re using your work machine’s tunnel to run torrents over your employer’s VPN or look at nekked ladies then you’ll be sacked if you get found out - if you’re tunneling because your employer is a Microsoft shop and won’t let you install vim then your manager (if they don’t suck) will defend you if you’re discovered.

Even if you get fired for working around the company firewalls it’ll almost certainly be without cause (so EI/severance will apply) and it won’t be career ending - nobody smart cares about this bullshit.

I don’t really do that - I tend to aggressively refactor code. This is, I admit, a privilege of being a highly trusted developer at my company.

I think the classic choice is a ping with a wide enough margin of error to allow for temporary incapacitation. There are a plethora of ways to do this and the main concern would probably be obfuscation of the trigger and a proof of identity. In the modern world the cheap solution I’d suggest is connecting a server with a 2FA app on your phone and having a request string/web page where you can input a token. If the server goes a few days without a correct token it triggers the death script.

I’d avoid anything that actively pings you since that traffic would be predictable and easier to snoop - potentially alerting a bad actor to the fact you have such a system setup… you also, obviously, don’t want to tell anyone you have such a system. And you definitely want some kind of rotating identity proof so that replay attacks can’t indefinitely delay the script trigger - random ass 2FA apps might be too easy to identify in this regard but it’s so trivial and accessible to implement that I think it’s a reasonable choice.

Time to rewrite my video card drivers in PHP.

https://mystery.knightlab.com/

The SQL Murder Mystery, of course!