In 2010, a security research firm stumbled on a couple of vulnerabilities in Apache OFBiz, a widely used open source enterprise automation software project. As a proof of concept, it posted a video showing how easy it was to become an administrator exploiting one of the XSS issues in the application. To remain credible, the OFBiz team was forced to invest in security. In fact, as a result of digging into its bug database, the OFBiz team gathered security knowledge from different sources to make its product better, and made a big push to resolve the known issues in early 2010. Barely a year later, the exact same code base thought to be secure is again seriously broken. This scenario actually occurs quite frequently for several reasons.
We begin this presentation by examining the new security enhancements that had been put in place by OFBiz. We will use new critical OFBiz vulnerabilities throughout the presentation to demonstrate how applications can be severely broken shortly after that they were thought to be secure. We demonstrate how new categories of vulnerabilities discovered in 2011 and new detection capabilities are discovering previously unfound weaknesses in applications. Continued testing with tools that incorporate the latest security knowledge is highly recommended for every corporation.
Žádné komentáře:
Okomentovat