we are now considering to use REALM for a serious project. We work for a huge corporation which is full of processes so we cannot just use some open-source project.
When going through the process of requesting permission to use REALM, our security department replied they need to see the security study
- results of the security code review (both automated and manual)
- results of the penetration testing (when the database is encrypted, which is one of our main goals)
- list of known vulnerabilities brought by the use of the REALM library (I only found this https://github.com/realm/realm-java/issues/4553 and unfortunately, the replies there are quite discouraging)
I was digging around and failed to find anything like that.
I do realise that this is an open source project and that the simplest answer from the community around will be - “it is open source, you can do yourself anything with it”.
On the other hand, it seems that this project is quite serious so there could be something which I missed (OpenSSL is also open source and there is a lot of security around).
Could you please point me to it?
Otherwise, it can easily be a show-stopper for a serious project , regardless how good the library is from functional perspective (and no, no one is going to do the study for us in a company, the budget for it exceeds writing our own special purpose storage (in the case we decide to NOT use REALM)).