[OWASP-Security101] Query regarding vulnerabilities found in Java 7 update 6.

Matthew J Tompkins matthewjtompkins at gmail.com
Sat Sep 22 02:38:49 UTC 2012


Hiya,

My first impression of WebInspect is that it's an app security testing
tool. And you're asking about vulnerabilities that arise from web sites
with malicious Java content.

#1 You are concerned about your web site codebase. Can WebInspect analyse
your codebase to see if your web site contains malicious Java content that
may attack your web site users? You will need to talk to HP people to ask
whether they've updated their software to look for this specific issue.
This does relate to secure code development, OWASP has some great material
on this, take a look at this:
https://code.google.com/p/owasp-development-guide/wiki/Introduction

#2 You are concerned about your own users browsing malicious web sites. If
your organisation has users who have Java-enabled web browsers for web
browsing, could they be attacked by browsing malicious web sites? Very much
so and WebInspect probably won't help a great deal in this situation
because it's somebody else's web site and somebody else's codebase. You
just need to hurry up and roll out Java updates to your users' machines
(this relates to OWASP Top 10 - Security Misconfiguration / out of date
tech) or just disable Java in their web browsers (this relates to reducing
attack surface). Take a look at OWASP for Security Misconfiguration and
reducing attack surface.

But if you're looking for management buy-in (ie. get money to get things
done) and need a good reason for doing security, then I think you're asking
the wrong question. Check out this article about 'selling' security to your
managers:
http://www.in2security.org.nz/?q=node/152

Hope this helps.
Cheers, Matt


On 21 September 2012 22:51, Sapan Kanungo <sapankanungo at gmail.com> wrote:

> Hi All,
>
> I have few queries about the vulnerabilities found in Java 7 update 6.
>
> CVE-2012-4681
> CVE-2012-1682
> CVE-2012-3136
> CVE-2012-0547
>
> Are these vulnerabilities addressed in OWASP policies.
> As we use Webinspect to scan our application, can we assume that the above
> vulnerabilities are taken care with OWASP Top 10 policy.
>
> Regards,
> Sapan
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>



-- 
Relevant advice on the latest threats to PC security and your online
privacy from the Ministry of Paranoia <http://ministryofparanoia.org/> |
Twitter <https://twitter.com/pureparanoia>


More information about the Security101 mailing list