I don't think these issues differ much from applications for any other domain; thus the existence of OWASP etc to try and educate developers about common flaws in web applications and how to avoid creating them.
What sort of disclosure method are you following (if any) for vulnerabilities that you have found? For Evergreen, our university consortium hired a security consultant to pen test the version of Evergreen we had installed at the time, and we followed Evergreen's disclosure process to address the relatively minor exposures that turned up. Of course, lots of new code has been written since then, so there are opportunities for new vulnerabilities to come into being.
Dan
>>> Erin Germ <[log in to unmask]> 3/5/2012 11:11 AM >>>
I've been investigating several library software solutions and I have some
serious concerns - ability to access restricted content/pages, ability to
inject content into pages, ability to perform CSFRs, etc... Those examples
and others I've not shared raise concern for me. I'm coming from three
different perspectives: protection of user and system/solution stored data,
the ability to use the system/solution to exploit the organization, and the
ability to use the system/solution to infect user devices.
Is there a focus group within C4L that discusses and investigates such
matters? I've been doing investigations and research on my own, and I would
be interested in working with others.
V/R
Erin
|