[Owasp-leaders] [Esapi-user] [Esapi-dev] Crypto attack and OWASP

Jim Manico jim.manico at owasp.org
Sun May 2 17:40:51 EDT 2010


It's my opinion that OWASP needs an organization-wide security  
notification email list but I was turned down. And thats ok. So for  
now we can email the esapi-dev and the esapi-users list with any  
notification.

Jim Manico

On May 2, 2010, at 2:15 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:

> I think this also may partially be a result of not having a well
> defined and documented process for reportig vulnerabilities in the
> code. Did we ever get anywhere with setting up a mailing list or group
> for security notifications?
>
> Sent from my iPwn
>
> On May 2, 2010, at 2:55 PM, "Jeff Williams" <jeff.williams at owasp.org>
> wrote:
>
>> IMHO this is just one more sign of a healthy security ecosystem.
>> There will always be folks who think it's 37337 to release an
>> unknown exploit regardless of the harm it causes. But complaining
>> about it won't help.  No matter what, we need to have a measured
>> response capability ready. It's entirely possible that this is an
>> esoteric risk that doesn't really expose any real applications,
>> however it could also be critical. At this point we don't know. I'm
>> looking forward to evaluating the alleged flaw, whatever it might be.
>>
>> --Jeff
>>
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>> bounces at lists.owasp.org] On Behalf Of Jim Manico
>> Sent: Sunday, May 02, 2010 1:30 PM
>> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
>> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
>>
>> We deprecated 1.4 encryption and are seeking bids for professional
>> cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI
>> to GA (general availability). I have stated on several occasions that
>> no one should be using ESAPI for cryptographic storage in production
>> apps - yet.
>>
>> However, I do have issue with the irresponsible nature of this
>> disclosure:
>>
>>> We leave the finding of thes bugs as an exercise for readers
>>
>> And I know that members of OWASP would NEVER pull a stunt like this  
>> to
>> any vendor. Our ethics put community and open way above glory- 
>> seeking,
>> correct?
>>
>> Jim Manico
>>
>> On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org
>>> wrote:
>>
>>> Nam,
>>>
>>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>>>
>>> "5.3.2 OWASP ESAPI
>>>
>>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
>>> Toolkits, is a project that claim to “help software developers gu
>>> ard
>>> against security-related design and implementation flaws.” Howe 
>>> ver,
>>> we
>>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
>>> vulnerable to Padding Oracle attacks 21. There were some significant
>>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,
>>> while
>>> these changes are heading towards the correct direction, i.e.  
>>> signing
>>> the ciphertex or using an authenticated encryption mode, but at the
>>> time of this writing, there are still some bugs in the latest
>>> implementation 23 that make applications using ESAPI for Java still
>>> vulnerable to Padding Oracle attacks. ."
>>>
>>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>
>>> wrote:
>>>> Quote: We show that even OWASP folks can't get it right, how can an
>>>> average Joe survive this new class of vulnerabilities?
>>>>
>>>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>>>>
>>>> Anyone going to BH-EU?
>>>
>>> --
>>> Regards,
>>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>>> OWASP "Google Hacking" Project Lead - http://sn.im/
>>> owasp_google_hacking
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the OWASP-Leaders mailing list