Currently we use Fortify to scan our main project for any security violations. With our most recent scans we are not picking up any new violations, but my question pertains to the .dlls in my project. My .dlls are typically made up of web services. To feed my curiosity I ran a scan on one of these web service .dlls and found there is 100+ critical/high security violations on one project.
Now do I need to address these security violations in my .dlls? Aside from good security practices would this in any way affect my main project? So if there were "Privacy Violations" in my .dll, would that security violation be exposed in anyway in my main program?
Yes, you need to evaluate the violations in any code you write, regardless of the form it takes (dll or exe). If you write an exe whose only job is to call code that lives in a DLL, then the more important violations to look at is the code in the DLL.