[Owasp-o2-platform] [WARNING : A/V UNSCANNABLE] Re: Focus on MOSS (Sharepoint)

Mark Roxberry mark.roxberry at owasp.org
Wed Jan 6 10:43:06 EST 2010


This is great - I have had a few MOSS engagements and no one has a
comprehensive security plan.  Your approach appears to be at the nuts and
bolts level, which is needed.  I found that security is even worse at the
governance level.  Clients have no idea of what assets they have in
Sharepoint, the value of these assets, data leakage etc.  There are no real
best practices, other than what a consultant like me brings from experience,
which is a real pain in the neck to communicate without pointing to some
authoritative source.

I'm pulling up my notes and see if I can offer anything.

On Mon, Jan 4, 2010 at 7:19 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Now that the IBM contract has ended, I'm starting this January focused on
> MOSS (Sharepoint) which is part of a project that I have been working on for
> a while and that finally I can start publishing my techniques and (some) of
> my findings.
>
> I think that there are a couple guys here (on O2 or DotNet's mailing lists)
> that are either currently involved in a Sharepoint related engagement or
> have done it in the past. For them (and others interested in this topic)
> please lets collaborate on this one and help to create MOSS Security Center
> of Excellency here at OWASP :)
>
> There was a MOSS thread a while back that proposed the creation of an OWASP
> WIKI page to store this research. The link was to
> http://www.owasp.org/index.php/Research_for_Sharepoint but there was no
> content in there (Mark is there another page?) so I've started populating
> this Research_for_Sharepoint<http://www.owasp.org/index.php/Research_for_Sharepoint> page
> with the following topics:
>
>
>    - 1 Resources <#125fa1a5bb301651_Resources>
>       - 1.1 Microsoft resources <#125fa1a5bb301651_Microsoft_resources>
>       - 1.2 Other Resources and Documentation<#125fa1a5bb301651_Other_Resources_and_Documentation>
>       - 1.3 Presentations <#125fa1a5bb301651_Presentations>
>       - 1.4 Other interesting resources<#125fa1a5bb301651_Other_interesting_resources>
>       - 1.5 Other Blogs and Articles<#125fa1a5bb301651_Other_Blogs_and_Articles>
>       - 1.6 Security related technical articles<#125fa1a5bb301651_Security_related_technical_articles>
>    - 2 Published Security issues<#125fa1a5bb301651_Published_Security_issues>
>       - 2.1 SharePoint related vulnerabilities and its status<#125fa1a5bb301651_SharePoint_related_vulnerabilities_and_its_status>
>    - 3 MOSS Security related WebParts, Tools & services<#125fa1a5bb301651_MOSS_Security_related_WebParts.2C_Tools__.26_services>
>       - 3.1 Open Source <#125fa1a5bb301651_Open_Source>
>       - 3.2 Commercially Supported<#125fa1a5bb301651_Commercially_Supported>
>    - 4 Dangerous MOSS APIs <#125fa1a5bb301651_Dangerous_MOSS_APIs>
>    - 5 WebParts Security <#125fa1a5bb301651_WebParts_Security>
>
>
> This is far from complete and I still have quite a lot of research notes I
> want to publish (please add the ones you know). Although all topics are now
> on this page, I expect (as the content grows) this to be split into Multiple
> MOSS related pages.
>
> I also have a number of MOSS O2 related tools and scripts that I will be
> publishing very soon :)
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100106/ad5d32a5/attachment.html 


More information about the Owasp-o2-platform mailing list