[Owasp-leaders] [Esapi-user] [Esapi-dev] Crypto attack and OWASP

Jeff Williams jeff.williams at owasp.org
Mon May 3 11:11:26 EDT 2010


I think it's a good idea too.  Just because it didn't happen  
immediately doesn't mean it's dead.

--Jeff

Jeff Williams
Aspect Security
work: 410-707-1487
main: 301-604-4882



On May 3, 2010, at 7:35 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Humm, Jim I was actually under the impression we were trying to set  
> up a OWASP wide security notification system.
>
> Who turned you down?
>
> Dinis Cruz
>
>
> On 2 May 2010 22:40, Jim Manico <jim.manico at owasp.org> wrote:
> It's my opinion that OWASP needs an organization-wide security
> notification email list but I was turned down. And thats ok. So for
> now we can email the esapi-dev and the esapi-users list with any
> notification.
>
> Jim Manico
>
> On May 2, 2010, at 2:15 PM, Chris Schmidt <chrisisbeef at gmail.com>  
> wrote:
>
> > I think this also may partially be a result of not having a well
> > defined and documented process for reportig vulnerabilities in the
> > code. Did we ever get anywhere with setting up a mailing list or  
> group
> > for security notifications?
> >
> > Sent from my iPwn
> >
> > On May 2, 2010, at 2:55 PM, "Jeff Williams"  
> <jeff.williams at owasp.org>
> > wrote:
> >
> >> IMHO this is just one more sign of a healthy security ecosystem.
> >> There will always be folks who think it's 37337 to release an
> >> unknown exploit regardless of the harm it causes. But complaining
> >> about it won't help.  No matter what, we need to have a measured
> >> response capability ready. It's entirely possible that this is an
> >> esoteric risk that doesn't really expose any real applications,
> >> however it could also be critical. At this point we don't know. I'm
> >> looking forward to evaluating the alleged flaw, whatever it might  
> be.
> >>
> >> --Jeff
> >>
> >>
> >> -----Original Message-----
> >> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> >> bounces at lists.owasp.org] On Behalf Of Jim Manico
> >> Sent: Sunday, May 02, 2010 1:30 PM
> >> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
> >> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
> >>
> >> We deprecated 1.4 encryption and are seeking bids for professional
> >> cryptographic-centric review of ESAPI 2.0 rc6 before we promote  
> ESAPI
> >> to GA (general availability). I have stated on several occasions  
> that
> >> no one should be using ESAPI for cryptographic storage in  
> production
> >> apps - yet.
> >>
> >> However, I do have issue with the irresponsible nature of this
> >> disclosure:
> >>
> >>> We leave the finding of thes bugs as an exercise for readers
> >>
> >> And I know that members of OWASP would NEVER pull a stunt like this
> >> to
> >> any vendor. Our ethics put community and open way above glory-
> >> seeking,
> >> correct?
> >>
> >> Jim Manico
> >>
> >> On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org
> >>> wrote:
> >>
> >>> Nam,
> >>>
> >>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
> >>>
> >>> "5.3.2 OWASP ESAPI
> >>>
> >>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
> >>> Toolkits, is a project that claim to “help software developers  
> gu
> >>> ard
> >>> against security-related design and implementation flaws.” Howe
> >>> ver,
> >>> we
> >>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
> >>> vulnerable to Padding Oracle attacks 21. There were some  
> significant
> >>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,
> >>> while
> >>> these changes are heading towards the correct direction, i.e.
> >>> signing
> >>> the ciphertex or using an authenticated encryption mode, but at  
> the
> >>> time of this writing, there are still some bugs in the latest
> >>> implementation 23 that make applications using ESAPI for Java  
> still
> >>> vulnerable to Padding Oracle attacks. ."
> >>>
> >>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>
> >>> wrote:
> >>>> Quote: We show that even OWASP folks can't get it right, how  
> can an
> >>>> average Joe survive this new class of vulnerabilities?
> >>>>
> >>>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
> >>>>
> >>>> Anyone going to BH-EU?
> >>>
> >>> --
> >>> Regards,
> >>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> >>> OWASP "Google Hacking" Project Lead - http://sn.im/
> >>> owasp_google_hacking
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> Esapi-dev mailing list
> >> Esapi-dev at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/esapi-dev
> > _______________________________________________
> > Esapi-user mailing list
> > Esapi-user at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-user
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100503/c2100e64/attachment.html 


More information about the OWASP-Leaders mailing list