If you only rely only on stecurity through obscurity (eg attackers not having the source code) you gonna have a bad time. And even if your source code is not available, you can make a good guess about their dependencies. Find a vulnerability there and chances are your software is also vulnerable.
It’s good enough to find one known function from libc in programs memory to mount the attack. Moreover, there are automated methods how to leak pointers to functions, etc., without having access to the binary itself.
If you only rely only on stecurity through obscurity (eg attackers not having the source code) you gonna have a bad time. And even if your source code is not available, you can make a good guess about their dependencies. Find a vulnerability there and chances are your software is also vulnerable.
Hi, security professional here! A lot of the time, we don't need it.
The "open source movement" has proven reasonably effective over the past few decades.
It’s good enough to find one known function from libc in programs memory to mount the attack. Moreover, there are automated methods how to leak pointers to functions, etc., without having access to the binary itself.
LLMs are very good at reverse engineering binaries. You just have to convince them you're doing defensive security not offensive so they comply.
And state actor LLMs probably don't need convincing
Most software in the world has little novelty. You don't really need the source code.