From myles.hosford at owasp.org Tue Feb 25 11:41:35 2014 From: myles.hosford at owasp.org (Myles Hosford) Date: Tue, 25 Feb 2014 11:41:35 +0000 Subject: [Owasp_financial_information_exchange_security_project] FIX Protocol Security Datasheets: Defenders & Attackers Message-ID: Hi, We are making a start developing the FIX protocol security datasheets for both defenders and attackers. The defenders cheat-sheet will be aimed at security architects, FIX / Exchange developers, implementors, network architects. The goal is to highlight security flaws with FIX implementations and give a set of guidelines on what to think about when creating a new FIX engine or solution. The attackers cheat-sheet will be aimed at penetration testers giving guidance on how to better assess a FIX engine during an application assessment or penetration test. Hopefully for each point in the defenders cheat-sheet there will be matching item in the attackers. Open to discussion as to whether both attackers and defenders could be produced under a single FIX security cheat-sheet. Typical items to be included are: * Use of transport layer encryption * Authentication (SenderCompID or use Username & password Tags) * Authorisation (Do not rely on SenderCompID to know your counter-party) * Input validation (What to do and what to leave to down-stream applications) * Business logic flaws specific to FIX (currency manipulation, race conditions, etc) In addition we are making a start with the Java FIX Fuzzing framework. Thanks, Myles Hosford -------------- next part -------------- An HTML attachment was scrubbed... URL: