[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] [WARNING : A/V UNSCANNABLE] Re: [Owasp-o2-platform]
From: Mark Roxberry <mark.roxberry () owasp ! org>
Date: 2010-01-06 15:43:06
Message-ID: 31a291681001060743yeb86309i2ed567916732b828 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
This is great - I have had a few MOSS engagements and no one has a
comprehensive security plan. Your approach appears to be at the nuts and
bolts level, which is needed. I found that security is even worse at the
governance level. Clients have no idea of what assets they have in
Sharepoint, the value of these assets, data leakage etc. There are no real
best practices, other than what a consultant like me brings from experience,
which is a real pain in the neck to communicate without pointing to some
authoritative source.
I'm pulling up my notes and see if I can offer anything.
On Mon, Jan 4, 2010 at 7:19 AM, dinis cruz <dinis.cruz@owasp.org> wrote:
> Now that the IBM contract has ended, I'm starting this January focused on
> MOSS (Sharepoint) which is part of a project that I have been working on for
> a while and that finally I can start publishing my techniques and (some) of
> my findings.
>
> I think that there are a couple guys here (on O2 or DotNet's mailing lists)
> that are either currently involved in a Sharepoint related engagement or
> have done it in the past. For them (and others interested in this topic)
> please lets collaborate on this one and help to create MOSS Security Center
> of Excellency here at OWASP :)
>
> There was a MOSS thread a while back that proposed the creation of an OWASP
> WIKI page to store this research. The link was to
> http://www.owasp.org/index.php/Research_for_Sharepoint but there was no
> content in there (Mark is there another page?) so I've started populating
> this Research_for_Sharepoint<http://www.owasp.org/index.php/Research_for_Sharepoint> \
> page with the following topics:
>
>
> - 1 Resources <#125fa1a5bb301651_Resources>
> - 1.1 Microsoft resources <#125fa1a5bb301651_Microsoft_resources>
> - 1.2 Other Resources and \
> Documentation<#125fa1a5bb301651_Other_Resources_and_Documentation>
> - 1.3 Presentations <#125fa1a5bb301651_Presentations>
> - 1.4 Other interesting resources<#125fa1a5bb301651_Other_interesting_resources>
> - 1.5 Other Blogs and Articles<#125fa1a5bb301651_Other_Blogs_and_Articles>
> - 1.6 Security related technical \
> articles<#125fa1a5bb301651_Security_related_technical_articles>
> - 2 Published Security issues<#125fa1a5bb301651_Published_Security_issues>
> - 2.1 SharePoint related vulnerabilities and its \
> status<#125fa1a5bb301651_SharePoint_related_vulnerabilities_and_its_status>
>
> - 3 MOSS Security related WebParts, Tools & \
> services<#125fa1a5bb301651_MOSS_Security_related_WebParts.2C_Tools__.26_services>
>
> - 3.1 Open Source <#125fa1a5bb301651_Open_Source>
> - 3.2 Commercially Supported<#125fa1a5bb301651_Commercially_Supported>
> - 4 Dangerous MOSS APIs <#125fa1a5bb301651_Dangerous_MOSS_APIs>
> - 5 WebParts Security <#125fa1a5bb301651_WebParts_Security>
>
>
> This is far from complete and I still have quite a lot of research notes I
> want to publish (please add the ones you know). Although all topics are now
> on this page, I expect (as the content grows) this to be split into Multiple
> MOSS related pages.
>
> I also have a number of MOSS O2 related tools and scripts that I will be
> publishing very soon :)
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
[Attachment #5 (text/html)]
This is great - I have had a few MOSS engagements and no one has a comprehensive \
security plan. Your approach appears to be at the nuts and bolts level, which is \
needed. I found that security is even worse at the governance level. Clients have \
no idea of what assets they have in Sharepoint, the value of these assets, data \
leakage etc. There are no real best practices, other than what a consultant like me \
brings from experience, which is a real pain in the neck to communicate without \
pointing to some authoritative source.<div> <br></div><div>I'm pulling up my \
notes and see if I can offer anything.<br><br><div class="gmail_quote">On Mon, Jan 4, \
2010 at 7:19 AM, dinis cruz <span dir="ltr"><<a \
href="mailto:dinis.cruz@owasp.org">dinis.cruz@owasp.org</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;">Now that the IBM contract has ended, I'm starting this \
January focused on MOSS (Sharepoint) which is part of a project that I have been \
working on for a while and that finally I can start publishing my techniques and \
(some) of my findings.<div>
<br></div><div>I think that there are a couple guys here (on O2 or DotNet's \
mailing lists) that are either currently involved in a Sharepoint related engagement \
or have done it in the past. For them (and others interested in this topic) please \
lets collaborate on this one and help to create MOSS Security Center of Excellency \
here at OWASP :)</div>
<div><br></div><div>There was a MOSS thread a while back that proposed the creation \
of an OWASP WIKI page to store this research. The link was to <a \
href="http://www.owasp.org/index.php/Research_for_Sharepoint" \
target="_blank">http://www.owasp.org/index.php/Research_for_Sharepoint</a> but there \
was no content in there (Mark is there another page?) so I've started populating \
this <a href="http://www.owasp.org/index.php/Research_for_Sharepoint" \
target="_blank">Research_for_Sharepoint</a> page with the following topics:</div>
<div><br></div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px"><div><span \
style="font-family:sans-serif;font-size:12px;line-height:19px"><ul \
style="line-height:1.5em;list-style-type:none;margin-top:0.3em;margin-right:0px;margin \
-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;text-align:left">
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Resources" \
style="text-decoration:none;color:rgb(90, 54, \
150);background-color:initial;background-repeat:initial initial"><span>1</span> \
<span>Resources</span></a><ul \
style="line-height:1.5em;list-style-type:none;margin-top:0px;margin-right:0px;margin-b \
ottom:0px;margin-left:2em;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;text-align:left">
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Microsoft_resources" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.1</span> \
<span>Microsoft resources</span></a></li>
<li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_Other_Resources_and_Documentation" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.2</span> \
<span>Other Resources and Documentation</span></a></li>
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Presentations" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.3</span> \
<span>Presentations</span></a></li>
<li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_Other_interesting_resources" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.4</span> \
<span>Other interesting resources</span></a></li>
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Other_Blogs_and_Articles" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.5</span> \
<span>Other Blogs and Articles</span></a></li>
<li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_Security_related_technical_articles" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>1.6</span> \
<span>Security related technical articles</span></a></li>
</ul></li><li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_Published_Security_issues" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>2</span> \
<span>Published Security issues</span></a><ul \
style="line-height:1.5em;list-style-type:none;margin-top:0px;margin-right:0px;margin-b \
ottom:0px;margin-left:2em;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;text-align:left">
<li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_SharePoint_related_vulnerabilities_and_its_status" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>2.1</span> \
<span>SharePoint related vulnerabilities and its status</span></a></li>
</ul></li><li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_MOSS_Security_related_WebParts.2C_Tools__.26_services" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>3</span> \
<span>MOSS Security related WebParts, Tools & services</span></a><ul \
style="line-height:1.5em;list-style-type:none;margin-top:0px;margin-right:0px;margin-b \
ottom:0px;margin-left:2em;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;text-align:left">
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Open_Source" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>3.1</span> \
<span>Open Source</span></a></li>
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_Commercially_Supported" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>3.2</span> \
<span>Commercially Supported</span></a></li>
</ul></li><li style="margin-bottom:0.1em"><a \
href="#125fa1a5bb301651_Dangerous_MOSS_APIs" style="text-decoration:none;color:rgb(0, \
43, 184);background-color:initial;background-repeat:initial initial"><span>4</span> \
<span>Dangerous MOSS APIs</span></a></li>
<li style="margin-bottom:0.1em"><a href="#125fa1a5bb301651_WebParts_Security" \
style="text-decoration:none;color:rgb(0, 43, \
184);background-color:initial;background-repeat:initial initial"><span>5</span> \
<span>WebParts Security</span></a></li>
</ul></span></div></blockquote><div><br></div><div>This is far from complete and I \
still have quite a lot of research notes I want to publish (please add the ones you \
know). Although all topics are now on this page, I expect (as the content grows) this \
to be split into Multiple MOSS related pages.</div>
<div><br></div><div>I also have a number of MOSS O2 related tools and scripts that I \
will be publishing very soon :)</div><div><br>Dinis Cruz<br><br>Blog: <a \
href="http://diniscruz.blogspot.com" \
target="_blank">http://diniscruz.blogspot.com</a><br>
Twitter: <a href="http://twitter.com/DinisCruz" \
target="_blank">http://twitter.com/DinisCruz</a><br>Web: <a \
href="http://www.owasp.org/index.php/O2" \
target="_blank">http://www.owasp.org/index.php/O2</a><br> </div>
<br>_______________________________________________<br>
Owasp-o2-platform mailing list<br>
<a href="mailto:Owasp-o2-platform@lists.owasp.org">Owasp-o2-platform@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-o2-platform" \
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-o2-platform</a><br> \
<br></blockquote></div><br></div>
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic