Forum OpenACS Q&A: Re: OpenACS ISECOM Security Testing

2: Re: OpenACS ISECOM Security Testing (response to 1)

Posted by Malte Sussdorff on 06/01/04 09:32 AM

Hi Frank, I might be able to help, *but* some changes to the Core require a TIP before they can be submitted so even having write permissions to the CVS does not help. Why would you need this anyway (for the security audit). You could always post the patch to the bugtracker.

What do you mean by "support"? As for the certification, we always keep a stable and a development branch. Though certification for each stable branch would be awesome, I think it might be too costly in the end.

In any case, this is a very good initiative and will be a major selling argument, so thanks a lot for taking this on.

3: Re: OpenACS ISECOM Security Testing (response to 2)

Posted by Frank Bergmann on 06/01/04 10:18 AM

<blockquote> What do you mean by "support"?
</blockquote>

I don't know myself yet, because we haven't started yet to dig into the code. The first phase will be to identify a list of possible types of vulnerabilities, such as:

- "$" instead of ":" variables in SQL
- incomplete ad_page_contracts
- Admin pages without a check that the user is admin or P/O pages without apropriate permissions
- pages where commands are passed as a variable(?!)
- ...

I know the ACS 3.4 code pretty well, but I'm lacking in-depth knowledge of many 5.x areas, so we would need here there to think of vulnerability types.

<blockquote> we always keep a stable and a development branch.
</blockquote>
The costs for a certification are some €10.000. That's definitely too much for any stable branch, so the lifetime of the certified branch should be a year or even several years. Is that possible? What consequences would that have?

Bests,
Frank