[Owasp-leaders] [Esapi-user] [Esapi-dev] Crypto attack and OWASP

Michael Coates michael.coates at owasp.org
Mon May 3 11:47:15 EDT 2010

This event raises a really important issue for consideration - how will 
security issues in ESAPI be handled?  Despite our best efforts there 
will be security issues that pop up from time to time. One thing that 
may hold organizations back from adopting ESAPI is a documented 
understanding of how OWASP/ESAPI will handle security bugs in ESAPI. 
Mainly, we need to document how security bugs should be reported to 
OWASP, how OWASP will traige the issue, how the issue and risk will be 
communicated to the ESAPI user community, how the issue will be fixed 
and whether post mortem details will be published.

But to Jeff's point, there are always those who will publicly disclose 
an issue before contacting the vendor/software owner.  However, this 
isn't that bad. The worst would be a private disclosure to an 
maliciously focused group.  (Granted private disclosure to the software 
owner before public disclosure is the preferred approach).

Michael Coates

On 5/2/10 2:40 PM, Jim Manico wrote:
> It's my opinion that OWASP needs an organization-wide security
> notification email list but I was turned down. And thats ok. So for
> now we can email the esapi-dev and the esapi-users list with any
> notification.
> Jim Manico
> On May 2, 2010, at 2:15 PM, Chris Schmidt<chrisisbeef at gmail.com>  wrote:
>> I think this also may partially be a result of not having a well
>> defined and documented process for reportig vulnerabilities in the
>> code. Did we ever get anywhere with setting up a mailing list or group
>> for security notifications?
>> Sent from my iPwn
>> On May 2, 2010, at 2:55 PM, "Jeff Williams"<jeff.williams at owasp.org>
>> wrote:
>>> IMHO this is just one more sign of a healthy security ecosystem.
>>> There will always be folks who think it's 37337 to release an
>>> unknown exploit regardless of the harm it causes. But complaining
>>> about it won't help.  No matter what, we need to have a measured
>>> response capability ready. It's entirely possible that this is an
>>> esoteric risk that doesn't really expose any real applications,
>>> however it could also be critical. At this point we don't know. I'm
>>> looking forward to evaluating the alleged flaw, whatever it might be.
>>> --Jeff
>>> -----Original Message-----
>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>> bounces at lists.owasp.org] On Behalf Of Jim Manico
>>> Sent: Sunday, May 02, 2010 1:30 PM
>>> To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
>>> Subject: Re: [Owasp-leaders] Crypto attack and OWASP
>>> We deprecated 1.4 encryption and are seeking bids for professional
>>> cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI
>>> to GA (general availability). I have stated on several occasions that
>>> no one should be using ESAPI for cryptographic storage in production
>>> apps - yet.
>>> However, I do have issue with the irresponsible nature of this
>>> disclosure:
>>>> We leave the finding of thes bugs as an exercise for readers
>>> And I know that members of OWASP would NEVER pull a stunt like this
>>> to
>>> any vendor. Our ethics put community and open way above glory-
>>> seeking,
>>> correct?
>>> Jim Manico
>>> On May 2, 2010, at 1:50 AM, Christian Heinrich<christian.heinrich at owasp.org
>>>> wrote:
>>>> Nam,
>>>> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>>>> "5.3.2 OWASP ESAPI
>>>> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
>>>> Toolkits, is a project that claim to “help software developers gu
>>>> ard
>>>> against security-related design and implementation flaws.” Howe
>>>> ver,
>>>> we
>>>> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
>>>> vulnerable to Padding Oracle attacks 21. There were some significant
>>>> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately,
>>>> while
>>>> these changes are heading towards the correct direction, i.e.
>>>> signing
>>>> the ciphertex or using an authenticated encryption mode, but at the
>>>> time of this writing, there are still some bugs in the latest
>>>> implementation 23 that make applications using ESAPI for Java still
>>>> vulnerable to Padding Oracle attacks. ."
>>>> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen<namn at bluemoon.com.vn>
>>>> wrote:
>>>>> Quote: We show that even OWASP folks can't get it right, how can an
>>>>> average Joe survive this new class of vulnerabilities?
>>>>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>>>>> Anyone going to BH-EU?
>>>> --
>>>> Regards,
>>>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>>>> OWASP "Google Hacking" Project Lead - http://sn.im/
>>>> owasp_google_hacking
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list