[Owasp-leaders] NuGet and OWASP Top10 2013 A9

Erlend Oftedal Erlend.Oftedal at BEKK.no
Mon Jun 17 18:57:49 UTC 2013


The repo has now been moved to https://github.com/OWASP/SafeNuGet

The most important quality aspect of this project is to keep the feed up to date. This means two things:

  *   Looking through (googling) NuGet package descriptions and web sites for security issues.
  *   Reaching out to maintainers of NuGet packages and ask them to help us by letting us know when vulnerabilities have been discovered and patched in their packages.

Other than that improving on the MSBuild plugin, is next on the list. I will migrate the suggested enhancements (under "issues") from the old repo. You can both submit code and suggest improvements there.

I will also talk to Samantha about setting this up as an OWASP project.

Jason and Michael: Welcome aboard

Best regards,
Erlend


From: Michael Hidalgo <michael.hidalgo at owasp.org<mailto:michael.hidalgo at owasp.org>>
Date: Monday, 17 June, 2013 17:44
To: Jason Johnson <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>>
Cc: Erlend Oftedal <erlend.oftedal at bekk.no<mailto:erlend.oftedal at bekk.no>>, "owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
Subject: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9

Hi guys,
That is an interesting approach and I would like to get involved too.



On Mon, Jun 17, 2013 at 8:10 AM, Jason Johnson <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>> wrote:

Can I please help with this? Are you planning on building a repo? Forgive me for not reading your posts but this is big. I am willing to help you anyway I can if you need server space or anything.

Jason

On Jun 17, 2013 9:37 AM, "Jason Johnson" <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>> wrote:

Im interested in this also. I think its a big deal if we use bad packages.

On Jun 17, 2013 9:30 AM, "Erlend Oftedal" <Erlend.Oftedal at bekk.no<mailto:Erlend.Oftedal at bekk.no>> wrote:
Great stuff, Dinis. I'll move the it over to the OWASP repo.

Erlend

Sendt fra min telefon
________________________________
Fra: Dinis Cruz<mailto:dinis.cruz at owasp.org>
Sendt: 17.06.2013 10:52
Til: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Emne: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9

Absolutely, this type of NuGet packages security mapping is something that is really needed, and I really worry about lack of security info that is available for NuGet packages.

Btw, we should move the https://github.com/eoftedal/SafeNuGet into the OWASP GitHub repo, just like we did for https://github.com/OWASP/WebGoat.NET  (I added an issue about it<https://github.com/eoftedal/SafeNuGet/issues/7>)

Also, have you seen my posts on NuGet? Namely how I downloaded the entire NuGet database? (which we could use to create the mappings to add to the SafeNuGet database):

  *   Offline copy of the entire NuGet.org gallery. What should I do with these 4.05 Gbs of amazing .Net Apps/APIs?<http://blog.diniscruz.com/2013/05/offline-copy-of-entire-nugetorg-gallery.html>
  *   Consuming NuGet programmatically outside VisualStudio (downloading the list of packages)<http://blog.diniscruz.com/2013/05/consuming-nuget-programmatically.html>
  *   Retrieving NuGet package programatically using NuGet.exe classes (not command line)<http://blog.diniscruz.com/2013/05/retrieving-nuget-package.html>
  *   Saving the entire list of NuGet Packages<http://blog.diniscruz.com/2013/05/saving-entire-list-of-nuget-packages.html>
  *   Downloading the entire NuGet package database<http://blog.diniscruz.com/2013/05/downloading-entire-nuget-package.html>

Dinis Cruz


Dinis Cruz

Blog: http://diniscruz.blogspot.com<http://diniscruz.blogspot.com/>
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 17 June 2013 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no<mailto:Erlend.Oftedal at bekk.no>> wrote:
Hi

I recently published a tool to warn about the use of insecure NuGet libraries (in the .NET world).
You can find the info at: http://erlend.oftedal.no/blog/?blogid=138

If successful, maybe it could be a new OWASP project.

Best regards
Erlend Oftedal
OWASP Norway Chapter lead

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders



_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders




--

Michael Hidalgo.
OWASP Chapter Leader & Researcher

Blog: http://michaelhidalgocr.blogspot.com<http://michaelhidalgocr.blogspot.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130617/4422529e/attachment-0001.html>


More information about the OWASP-Leaders mailing list