[Owasp-leaders] [Esapi-user] [Esapi-dev] Crypto attack and OWASP

Jim Manico jim.manico at owasp.org
Mon May 3 11:32:37 EDT 2010


I (happily) stand corrected. So perhaps security- 
notifications at owasp.org as a moderated list?

Jim Manico

On May 3, 2010, at 8:11 AM, Jeff Williams <jeff.williams at owasp.org>  
wrote:

> I think it's a good idea too.  Just because it didn't happen  
> immediately doesn't mean it's dead.
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> work: 410-707-1487
> main: 301-604-4882
>
>
>
> On May 3, 2010, at 7:35 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Humm, Jim I was actually under the impression we were trying to set  
>> up a OWASP wide security notification system.
>>
>> Who turned you down?
>>
>> Dinis Cruz
>>
>>
>> On 2 May 2010 22:40, Jim Manico <jim.manico at owasp.org> wrote:
>> It's my opinion that OWASP needs an organization-wide security
>> notification email list but I was turned down. And thats ok. So for
>> now we can email the esapi-dev and the esapi-users list with any
>> notification.
>>
>> Jim Manico
>>
>> On May 2, 2010, at 2:15 PM, Chris Schmidt <chrisisbeef at gmail.com>  
>> wrote:
>>
>> > I think this also may partially be a result of not having a well
>> > defined and documented process for reportig vulnerabilities in the
>> > code. Did we ever get anywhere with setting up a mailing list or  
>> group
>> > for security notifications?
>> >
>> > Sent from my iPwn
>> >
>> > On May 2, 2010, at 2:55 PM, "Jeff Williams" <jeff.williams at owasp.org 
>> >
>> > wrote:
>> >
>> >> IMHO this is just one more sign of a healthy security ecosystem.
>> >> There will always be folks who think it's 37337 to release an
>> >> unknown exploit regardless of the harm it causes. But complaining
>> >> about it won't help.  No matter what, we need to have a measured
>> >> response capability ready. It's entirely possible that this is an
>> >> esoteric risk that doesn't really expose any real applications,
>> >> however it could also be critical. At this point we don't know.  
>> I'm
>> >> looking forward to evaluating the alleged flaw, whatever it  
>> might be.
>> >>
>> >> --Jeff
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>> >> bounces at lists.owasp.org] On Behalf Of Jim Manico
>> >> Sent: Sunday, May 02, 2010 1:30 PM
>> >> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
>> >> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
>> >>
>> >> We deprecated 1.4 encryption and are seeking bids for professional
>> >> cryptographic-centric review of ESAPI 2.0 rc6 before we promote  
>> ESAPI
>> >> to GA (general availability). I have stated on several occasions  
>> that
>> >> no one should be using ESAPI for cryptographic storage in  
>> production
>> >> apps - yet.
>> >>
>> >> However, I do have issue with the irresponsible nature of this
>> >> disclosure:
>> >>
>> >>> We leave the finding of thes bugs as an exercise for readers
>> >>
>> >> And I know that members of OWASP would NEVER pull a stunt like  
>> this
>> >> to
>> >> any vendor. Our ethics put community and open way above glory-
>> >> seeking,
>> >> correct?
>> >>
>> >> Jim Manico
>> >>
>> >> On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org
>> >>> wrote:
>> >>
>> >>> Nam,
>> >>>
>> >>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>> >>>
>> >>> "5.3.2 OWASP ESAPI
>> >>>
>> >>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
>> >>> Toolkits, is a project that claim to “help software developers 
>>  gu
>> >>> ard
>> >>> against security-related design and implementation flaws.” Howe
>> >>> ver,
>> >>> we
>> >>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
>> >>> vulnerable to Padding Oracle attacks 21. There were some  
>> significant
>> >>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,
>> >>> while
>> >>> these changes are heading towards the correct direction, i.e.
>> >>> signing
>> >>> the ciphertex or using an authenticated encryption mode, but at  
>> the
>> >>> time of this writing, there are still some bugs in the latest
>> >>> implementation 23 that make applications using ESAPI for Java  
>> still
>> >>> vulnerable to Padding Oracle attacks. ."
>> >>>
>> >>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen  
>> <namn at bluemoon.com.vn>
>> >>> wrote:
>> >>>> Quote: We show that even OWASP folks can't get it right, how  
>> can an
>> >>>> average Joe survive this new class of vulnerabilities?
>> >>>>
>> >>>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>> >>>>
>> >>>> Anyone going to BH-EU?
>> >>>
>> >>> --
>> >>> Regards,
>> >>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>> >>> OWASP "Google Hacking" Project Lead - http://sn.im/
>> >>> owasp_google_hacking
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >> _______________________________________________
>> >> Esapi-dev mailing list
>> >> Esapi-dev at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/esapi-dev
>> > _______________________________________________
>> > Esapi-user mailing list
>> > Esapi-user at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/esapi-user
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100503/e4d0e0df/attachment-0001.html 


More information about the OWASP-Leaders mailing list