The issue with security was a concern of ours for all of three seconds. The benefits far outweigh the risk by an exponential factor.
Typical digital security will block or severly limit 99% of the issues they are worrying about. For those aspects Dynamo is no less secure than the rest of the stuff you use. The small remaining portion of issues are exploits so rooted deep in the system that no one would waste leaking them to the world via dynamo. Be it for fun or profit, they will be exponentially more successful in getting the malicious code into the system via other means.
Note that the package manager website (https://dynamopackages.com) shows less than a half million downloads so far. That’s a great number that many of the people reading this post should take a TON of pride in by the way. Thanks for all you guys do. Someday I hope I can be 1/10 as helpful to the community as the publishers have been to me. Thanks.
By contrast a well placed and distributed bit of code that works with something like the heartbleed exploit (Heartbleed - Wikipedia) can hit that many systems in a nano second. Interesting to note that autodesk software you likely use was impacted by this but the fix wasn’t out for 23 days. How did the bosses handle that? Most of the industry didn’t care and continued with business as usual. Keep in mind similar exploits and malicious code could be hidden in manufacturer PDFs and DWGs, RevitCity families, or even a web ad placed through Google. The only way to be 100% safe is to never bring any outside data into your office.
Is it possible that malicious code could be snuck into your systems via dynamo? Yes. Its also possible for a disgruntled employee to write a .bat file that turns your exchange server into a brick. Fortunately, neither are very likely and I won’t be losing any sleep over them. It’s far more likely (boardering on certain) malicious code has already snuck into your system via the numerous other items you use daily, or that you have a far larger exploit ready for someone to crack open. We just don’t know about it yet.
Don’t let the fear of ‘what if’ deny the firm the benefits the rest of us are seeing. Instead take an opportunity to review your company security protocols (I.E. no user should have complete system access) to limit exposure. I reccomend using an external vendor for this who can help you look at things with fresh eyes. You will be safer long term against the very unlikely dynamo attack (or bat file wielding employee) and the absolute certainty of a large distribution attack.