[Esapi-user] [Esapi-dev] [Owasp-leaders] Crypto attack and OWASP

Chris Schmidt chrisisbeef at gmail.com
Sun May 2 17:15:35 EDT 2010


I think this also may partially be a result of not having a well  
defined and documented process for reportig vulnerabilities in the  
code. Did we ever get anywhere with setting up a mailing list or group  
for security notifications?

Sent from my iPwn

On May 2, 2010, at 2:55 PM, "Jeff Williams" <jeff.williams at owasp.org>  
wrote:

> IMHO this is just one more sign of a healthy security ecosystem.  
> There will always be folks who think it's 37337 to release an  
> unknown exploit regardless of the harm it causes. But complaining  
> about it won't help.  No matter what, we need to have a measured  
> response capability ready. It's entirely possible that this is an  
> esoteric risk that doesn't really expose any real applications,  
> however it could also be critical. At this point we don't know. I'm  
> looking forward to evaluating the alleged flaw, whatever it might be.
>
> --Jeff
>
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders- 
> bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Sunday, May 02, 2010 1:30 PM
> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
>
> We deprecated 1.4 encryption and are seeking bids for professional
> cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI
> to GA (general availability). I have stated on several occasions that
> no one should be using ESAPI for cryptographic storage in production
> apps - yet.
>
> However, I do have issue with the irresponsible nature of this
> disclosure:
>
>> We leave the finding of thes bugs as an exercise for readers
>
> And I know that members of OWASP would NEVER pull a stunt like this to
> any vendor. Our ethics put community and open way above glory-seeking,
> correct?
>
> Jim Manico
>
> On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org
>> wrote:
>
>> Nam,
>>
>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>>
>> "5.3.2 OWASP ESAPI
>>
>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
>> Toolkits, is a project that claim to “help software developers gu 
>> ard
>> against security-related design and implementation flaws.” However,
>> we
>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
>> vulnerable to Padding Oracle attacks 21. There were some significant
>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,  
>> while
>> these changes are heading towards the correct direction, i.e. signing
>> the ciphertex or using an authenticated encryption mode, but at the
>> time of this writing, there are still some bugs in the latest
>> implementation 23 that make applications using ESAPI for Java still
>> vulnerable to Padding Oracle attacks. ."
>>
>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>
>> wrote:
>>> Quote: We show that even OWASP folks can't get it right, how can an
>>> average Joe survive this new class of vulnerabilities?
>>>
>>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>>>
>>> Anyone going to BH-EU?
>>
>> --
>> Regards,
>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>> OWASP "Google Hacking" Project Lead - http://sn.im/
>> owasp_google_hacking
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev


More information about the Esapi-user mailing list