Can you provide any information regarding the security assessments done for the Aspose.Words product for Java? If not, am I able to get a debug version of the binary to run it against Veracode? Knowing the potential security issues associated with Aspose is a pre-requisite for my company to use the product.
Aspose products are very secure. Aspose components run in the same user context as any regular application. Therefore, Aspose components do not pose a potential risk to vital system resources. Furthermore, when a document is opened by an Aspose component, macros are not automatically run. Aspose components were built with the goal of allowing developers to create, manipulate and save Office files. None of the risks associated with the Microsoft Office package are inherent to Aspose components. Please read more detail from here: http://www.aspose.com/docs/display/wordsjava/Why+not+Automation
Conceptually this makes sense, but what about at a code level? Have you run the software through a static or dynamic analysis tool? This would certify that the lines of code that make up Aspose.Words does not have vulnerabilities.
Have you run the software through a static or dynamic analysis tool?
Please note that Aspose components have been thoroughly tested. Unfortunately, we have no benchmarks publicly available for performance/memory tests yet. Please let us know if you face any issue while using Aspose.Words.
We do have a documented coding standard which includes best/proper practices and patterns including for security issues. We have a peer code review process and we use automated tools to monitor code quality/adherence to the standard.
But we do not yet run specific security analyzers on Aspose.Words.
I think that Aspose.Words code is not adding any security risk into your system. Consider that Aspose.Words does not perform SQL operation, no HTML or web operations, does not have any passwords inside. All Aspose.Words does is open a file or stream you specify, read it and allow you to access the data.
oakridge:
Have you run the software through a static or dynamic analysis tool?