My company has to have an outside firm Pen test all Web-Service applications. So I am spinning up two internal services and both are going to be tested around November before they go into Prod from Non-Prod. I'm starting talks with the InfoSec team to see if I can share the findings of the test.
On Thursday, October 8, 2015 at 12:13:33 PM UTC-7, Richard wrote: > > :) > > Nice to heard that! > > Richard > > On Thu, Oct 8, 2015 at 2:59 PM, Niphlod <nip...@gmail.com <javascript:>> > wrote: > >> not really. >> I built some apps on web2py that are live and in production, and since >> EVERY app in my environment NEEDS to pass a Qualys scan to be live and >> production ready, I know that MY apps survive a Qualys scan with flying >> colors. >> Point being "ATM web2py does not expose any obvious/hidden threat that >> Qualys identifies". >> I'll reinstate the obvious though: this "just" means that if you code >> responsibly, your app is safe. It's not too little of a "just". But it's a >> "just" nonetheless. >> Noone is saying that EVERY app you code will pass a white-hat attempt if >> it's hosted on web2py, and I don't think that any framework in any language >> will ever have the guts to assure it. >> >> >> On Thursday, October 8, 2015 at 8:38:05 PM UTC+2, Richard wrote: >>> >>> @Antonio >>> >>> I think Simone just point to the tool that can be use for such >>> purpose... You can use it over your App. From my understanding the App >>> tested is the Ian App... >>> >>> Richard >>> >>> On Thu, Oct 8, 2015 at 1:19 PM, António Ramos <ramst...@gmail.com> >>> wrote: >>> >>>> Niphold, >>>> i dont see where you are pointing on https://www.qualys.com/ >>>> where is the web2py app that survived the security scan ? >>>> >>>> thank you >>>> >>>> 2015-10-05 11:25 GMT+01:00 Niphlod <nip...@gmail.com>: >>>> >>>>> here in ***undisclosed company**** web2py survives a >>>>> https://www.qualys.com/ security scan with no reports whatsoever. >>>>> >>>>> >>>>> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>>>>> >>>>>> Hi, just looking back over anything about penetration testing and >>>>>> web2py - does anyone know of any recent (or any at all) testing of >>>>>> web2py? >>>>>> We're getting close to our first customers on an app we've been >>>>>> developing >>>>>> the last year so really need to try and pick it to pieces now while we >>>>>> have >>>>>> a few months to work on anything we need to. >>>>>> >>>>>> Thanks >>>>>> Ian >>>>>> >>>>>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>>>>> >>>>>>> Thank you Dave for the feedback. It would be nice to have the >>>>>>> results of those tests (Cenznic, Hailstorm, Quails) published >>>>>>> somewhere. >>>>>>> Once in a while people ask about this. >>>>>>> >>>>>>> Massimo >>>>>>> >>>>>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>>>>> >>>>>>>> Well.... >>>>>>>> >>>>>>>> I can't say that I have tested the current trunk version, but last >>>>>>>> December I ran a pretty exhaustive penetration test against a site >>>>>>>> developed web2py. The results were very good. No findings above low. >>>>>>>> The >>>>>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and >>>>>>>> one >>>>>>>> other automated vulnerability test suite (I cant remember which at the >>>>>>>> moment) against it without issue. >>>>>>>> >>>>>>>> Here are some things that can cause issue though... >>>>>>>> >>>>>>>> * anywhere you use the XML() method in a view you should make sure >>>>>>>> you have validation turned on. Even though the framework is resilient >>>>>>>> and >>>>>>>> does a good job of sanitizing data in & out, you can still end up in >>>>>>>> XSS or >>>>>>>> XSRF trouble with XML(). >>>>>>>> >>>>>>>> * redirects can trip up or slow down a lot of vuln scanners. Watch >>>>>>>> out if you perform your own testing that you're not getting false >>>>>>>> negatives. >>>>>>>> >>>>>>>> I know some people that would take on a more "formal" assessment if >>>>>>>> there is consensus.... >>>>>>>> >>>>>>>> Dave >>>>>>>> >>>>>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>>>>> >>>>>>>>> One of the awesome things about web2py is of course the built-in >>>>>>>>> and well-documented resilience against a range of attack methods, but >>>>>>>>> I was >>>>>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>>>>> probe >>>>>>>>> any potential weaknesses? >>>>>>>>> >>>>>>>>> Just out of interest :) >>>>>>>>> >>>>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web2py+un...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
