OpenID Security
Nat Sakimura
sakimura at gmail.com
Fri Feb 6 06:10:16 UTC 2009
Actually, we have previously tested Fortify. As you have stated, it is
not possible to use it without a professional service. It is merely a
tool to assist the security analyst.
=nat
On Fri, Feb 6, 2009 at 5:48 AM, Darren Bounds <dbounds at gmail.com> wrote:
> I do not believe OWASP presently does any active vulnerability
> analysis. Rather they provide definition around best practices and
> reference material around web application security as well as a small
> set of open source vulnerability analysis and penetration testing
> tools.
>
> With regard to the Fortify link you sent previously; in my experience
> thus far, I have not found a single automated vulnerability analysis
> tool that's worth the price tag or the effort involved in tuning it.
> More often than not they find nothing more than low hanging fruit and
> false positives. Even worse, they often miss ore than they catch,
> resulting in a large number of false negatives. Subsequently any
> 'certification' an automated tool can provide should be taken with a
> grain of salt.
>
> IMO, if a formal security assessment is desirable, it would be much
> more fruitful to engage a reputable 3rd party to perform one manually.
>
>
> Darren
>
> On Thu, Feb 5, 2009 at 3:08 PM, McGovern, James F (HTSC, IT)
> <James.McGovern at thehartford.com> wrote:
>> If your implementation is 100% open source, then you don't have to worry
>> about licensing as OWASP (http://www.owasp.org) will scan at no cost...
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 6 Feb 2009 01:34:33 +0900
>> From: Nat Sakimura <sakimura at gmail.com>
>> Subject: Re: OpenID Security
>> To: "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>
>> Cc: specs at openid.net
>> Message-ID:
>> <bf26e2340902050834ybf1ae5ara6b97aaac28cdd44 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Yeah. Fortify is nice. I do not know what would be the licensing terms
>> now, but before, it used to have a "traveling" kind of license that
>> allowed consultants to do the evaluation for the projects of their
>> customers. It might be worthwhile for somebody like OIDF to buy a
>> license and run a certification program out of it. Of course, having
>> secure profile, which we do not have yet, is a prerequisite though.
>>
>> =nat
>>
>> On Wed, Feb 4, 2009 at 11:48 PM, McGovern, James F (HTSC, IT)
>> <James.McGovern at thehartford.com> wrote:
>>> OpenID certainly has security features but are all the libraries out
>>> there written to secure coding practices? Wouldn't it be great if all
>>> the library creators could have their code reviewed for security
>>> defects? Check out http://owasp.fortify.com/
>>> ************************************************************
>>> This communication, including attachments, is for the exclusive use of
>> addressee and may contain proprietary, confidential and/or privileged
>> information. If you are not the intended recipient, any use, copying,
>> disclosure, dissemination or distribution is strictly prohibited. If
>> you are not the intended recipient, please notify the sender immediately
>> by return e-mail, delete this communication and destroy all copies.
>>> ************************************************************
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>>
>> End of specs Digest, Vol 30, Issue 7
>> ************************************
>> ************************************************************
>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>
>
>
> --
>
> Thank you,
> Darren Bounds
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
More information about the specs
mailing list