[Owasp-o2-platform] Reaching out to Spring Developers

John Steven jsteven at cigital.com
Tue Jul 12 07:27:20 EDT 2011


Thanks for doing this. I just did an analysis of ORMs and (exclusively) SQL-based access relational databases with respect to remediation in terms of a few commonly considered factors (ease of remediation, blast radius of change, regression error, re-exploit, etc.) internally, at my company. 

I find what this group might expect but what most OWASPers/security folk might be surprised by: Specifically, ORMs:

1) Don't alleviate query-based injection attacks, they shift them 
	(Hibernate is an offender here)
2) ORMs replace query-based injections with forced-browsing / direct object reference attacks with alarming rates
3) ORMs introduce issues with inconsistent, duplicative, or broken authorization

...I've done enough development in large teams to understand resisting the tide of adoption (especially when packages appear to make one's first end-to-end test succeed more quickly) is futile. However, I see ORM packages as a net loss of both security and performance ATM.

I've avoided reaching out to SpringSource folk (and others planned) on this front until I had my ducks in a row... ...and I've almost got the few stragglers into line. 

Perhaps a good "First Step" is to show a positive alternative that safely leverages Spring's ORM functionality w/in ESAPI. I'll work to prepare such a design / prototype for the ESAPI summit in MSP. Pushing the Spring guys based on working ideas will be easier than engaging them in a whiteboard discussion about design IMO.

...now if my org. could only hire 30 consultants needed to conduct the 12 Architecture Analyses I'm tasked with slumming it to lead in the meantime.  -sigh-

John Steven
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell: 703.727.4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

twitter: @m1splacedsoul
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb
web: http://www.cigital.com
Software Confidence. Achieved.

On Jul 11, 2011, at 10:41 PM, dinis cruz wrote:

> I just posted an entry on the Spring Framework forums http://forum.springsource.org/showthread.php?111901-Security-Vulnerabilities-with-JPetStore-and-visualization-of-the-AutoBinding-Issues which hopefully will get some tracking from their side.
> I will reach out to my contacts over there (Spring Source), but if you know somebody at SpringSource (or at a heavy user of Spring MVC) please put them in tourch.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110712/5947bfef/attachment.bin 

More information about the Owasp-o2-platform mailing list