Forum OpenACS Q&A: OpenACS ISECOM Security Testing

Hi Frank, I might be able to help, *but* some changes to the Core require a TIP before they can be submitted so even having write permissions to the CVS does not help. Why would you need this anyway (for the security audit). You could always post the patch to the bugtracker.

What do you mean by "support"? As for the certification, we always keep a stable and a development branch. Though certification for each stable branch would be awesome, I think it might be too costly in the end.

In any case, this is a very good initiative and will be a major selling argument, so thanks a lot for taking this on.

Might be of some use:

http://www.giac.org/practical/GCUX/Mark_Riedesel_GCUX.pdf

Not too much openacs / aolserver specific however.

I've always questioned the validity of such testing.

What guarantee does €10.000 for their testing bring?  Lets say they analyze it and miss a bug -- do they refund the fee?  What is their liability for security issues?  Is there a listing somewhere of other software that they have certified?  Google shows very few links to their site.  My first impression is that not many people have paid the fee to become certified.  Is he licensed in New York?  Does he hold valid business insurance?  Have you done the due diligence on his certifications before sending any money?  What is ISECOM's expertise in TCL?  Will they have onhand experts to determine security problems?

Secondly, is a company claiming an industry wide certification program that has broken links and domains that don't exist one that people will trust?  I click on their Forums link, and get redirected to a site in Canada which doesn't resolve.  I guess if I registered that domain name and set up a forum base, and asked people to reregister with their info, I could get their passwords from the partner area since people rarely use different passwords for different sites -- seems like a rather large security hole.  However, it does appear to be registered to someone else alongside the organization, but, it sure raises questions.

Will flying a 'certified' banner on your site make your new clients less vigilent because it is certified secure?  A client's site is only as secure as you make it.  Its a battle we fight every day -- trading security for client ease-of-use.  In another thread there is an issue with included html code and cross site scripting.  By no means a new issue, but, a pretty important one.  When a client asks you to do something that goes against the recommendations of your certification, that invalidates the protection that you have offered, and releases ISECOM's liability, right?  Will the change order document you have them sign stand up to your lawyer and insurance company lawyer's scrutiny?

I think what you are doing is good for the community, but, OpenACS has a development environment and is a moving target. I have a feeling you'll either have to fork OpenACS and maintain a secure-stable branch, or recertify each time there is an upgrade.  After the recommendations are made, will the report be made public so that a best-practices document might be written for new packages that are written and perhaps an internal audit of modules not in the core?  You might ask some of the existing developers on the project whether that money could be put to better use.  Honestly, I don't feel that someone not intimately involved with the code will be able to see potential security issues.  For instance, will ISECOM see the potential security problem in a categorized revision item in the content repository?  Is 120 hours enough time for them to get up to speed with CR so that they can determine whether there are security issues at hand?  I only choose 120 hours based on the USD rate that they are charging ($100 USD/hr estimate).

Personally, I did not get a warm feeling surfing their site and wouldn't put a lot of trust behind that certification.  Secondly, I would think a professional organization with a parent company of Ideahamster will certainly have the Fortune 500 CEOs scratching their head before signing that check.  I can see the conversation now:

Its certified by who?  Ideahamster, you know, the guys that run Hacker High School.

Secondly, I would love to get a contract with GIAC.  If I could bill a client two hours for disabling root access in ssh on two machines and keep a straight face, I would be rich.

I think your motives are good and I applaud your efforts.  As an outsider looking at the community I appreciate what you are trying to do.  Before you write that check, do a little due dilligence on that company.

One of the things I've been evaluating is the ecommerce module -- aside from security issues, it doesn't pass Visa's CISP requirements.  So, even if ISECOM said there were no issues regarding security in the ecommerce modules, Visa would still levy a fine of $50k if someone did manage to find a bug and get to the data.  My E&O insurance would be liable in the event of a breach.  Making this comment just invalidated their liability.  A client certainly wouldn't expect to have to pay that fine if they are paying someone else to manage their server.

My position is that the money could probably be better spent educating the developers on security issues than paying for a certification of questionable value.  In the long run, EUR 10k would pay for a few technical writers to write best-practice documents and perhaps an external review of the code with some lintian analysis to find potential issues.

I could be wrong.

telnet isecom.org 80
Trying 216.92.116.13...
Connected to isecom.org.
Escape character is '^]'.
GET /forum/ HTTP/1.0
Host: isecom.org

HTTP/1.1 200 OK
Date: Tue, 01 Jun 2004 15:07:41 GMT
Server: Apache/1.3.29
Connection: close
Content-Type: text/html

<html>

<head>
<meta HTTP-EQUIV="Refresh" CONTENT="1; URL=http://www.isecom.ca/forum">

<title>Institute for Security and Open Methodologies/title>
</head>

<body>

</body>
</html>

Hi,

Perhaps I can answer some of the outstanding questions because I think confusion started when Frank didn't explain the whole situation.

Ideahamster was the original name of the open source documentation group who wrote a few methodologies on secure programming and security testing.  In December 2003 we bacame an official non-profit in both New York and Spain.  We did this because the name "ideahamster" was not well received by official types.

I'm not sure where you find our website to be less than adequate as many OS websites have broken links occassionally since we have no manpower to maintain it as often as corporate ones.  We lost our Canadian mirror hosting the forum to a faulty motherboard but other than that, we still own the domain name and can still control where it points so I don't see how anyone else could set it up and misdirect people.  I suppose this could be done by anyone to anyone who controls a a DNS server used by a large number of people, like an ISP, but then it wouldn't actually be that widespread.

About the proposed certification-- about 1 year ago we were asked to create a methodology for which one can measure the deltas of software in their environment.  This is not the same as securing software through code.  This does mean measuring the security of software and all 3rd party components needed to run in certain environments as well as the installation (default) configuratons.  We did this.  The worth of such a test is dependent on the size and scope of the softwares with associate environment.  Our first contact to make the methodology put the price at $10,000US.  As I ran into Frank at the university, I explained this to him and our discussion lead to the proposal-- we would certify his solution in return that he works with us to refine the process into a service we may offer in the future on a regular basis.  However, we would only be the accrediting authority and not the testers.  This requires that the process be sound which is what we want from Frank's support.

Frank's certification requires us to examine the installation of OpenACS as well as other components of his solution.  We did ask Frank to verify the software code himself and we have helped already one of his project people on the methodology of testing source code.  While verifying source code improves the product's security, it is not required for a delta certification.  It's in his (and everyone's) best interest that the solution is secure.

As for Visa's CISP and CISA, they are part of our generic methodology (www.osstmm.org) and our delta methodology therefore it would be verified for compliancy.  In this case, we ascertain if even there were to be a bug, the solution would fail securely and proper loss controls would assure no ensitive data is surrendered.

I hope this helps.

Sincerely,
-pete.