Hello,
As we know PSADT is a great tool and helps to packagers to streamline deployment process in more effective way and we have been using this tool since last 6 years. Recently I wanted to implement this solution as a process for one of our client but there security team has raised concern that this is a third-party tool and the open-source code can be vulnerable in environment.
Is there any developer in this forum can confirm what should be the answer given to security team to make this tool acceptable in there environment?
Hi there,
I think your security team simply has an aversion to open-source.
Nothing from our side is likely to change their minds.
This project is a group effort and we do our best to make its code sound.
If your security team finds an actual vulnerability, the Authors will address it.
I would ask your security team if they use third-party tools and how they justify using them.
3 Likes
In addition, I am pretty sure that a possible vulnerability in an open source project will be dealt with or fixed much faster than in a closed code project. Especially in an established project like PSADT
1 Like
It’s never impossible of course. Wasn’t there mailicious code snuck in openssh a few years back?
Anyway, if they’re that paranoid they could request that all code is digitally signed otherwise it won’t run, but I doubt they would.
The key is, as long as PSADT and the Deploy-Application.ps1 script are in a location where it’s read only to users, it should be fine.
If a malicious actor has already gained elevated rights, PSADT is the least of your troubles.