Forum OpenACS Q&A: Re: OpenACS ISECOM Security Testing

Collapse
Posted by Frank Bergmann on
<blockquote> What do you mean by "support"?
</blockquote>

I don't know myself yet, because we haven't started yet to dig into the code. The first phase will be to identify a list of possible types of vulnerabilities, such as:

- "$" instead of ":" variables in SQL
- incomplete ad_page_contracts
- Admin pages without a check that the user is admin or P/O pages without apropriate permissions
- pages where commands are passed as a variable(?!)
- ...

I know the ACS 3.4 code pretty well, but I'm lacking in-depth knowledge of many 5.x areas, so we would need here there to think of vulnerability types.

<blockquote> we always keep a stable and a development branch.
</blockquote>
The costs for a certification are some €10.000. That's definitely too much for any stable branch, so the lifetime of the certified branch should be a year or even several years. Is that possible? What consequences would that have?

Bests,
Frank