On Fri, Feb 1, 2013 at 12:00 PM, Sweere, Kevin <kevin.sweere....@gafg.afrl-wrs.hpc.mil> wrote: > Sir, > > Yes, I'd love to participate. I'm a cyber-security researcher, but not a > coder.
Excellent! I'm proposing a cas-appsec group to explorer these issues, coordinate/collaborate on deliverables, and other activities. I think it would be helpful to kick this off with a conf call and then see where we go from there. We are looking for additional volunteers and participants. If you are interested please let me know or just add your name to the doodle. http://doodle.com/papnz5mfuzdhacug I'll send out call logisitics once we firm up a time. Best, Bill > > I'll try to drag in my coding co-worker who's building & deploying CAS > LiveCD webSSOs. I'll also invite those whom run static & dynamic software > security analysis tools... and attack tools. > > K > > > On Thu, Jan 31, 2013 at 4:52 PM, William G. Thompson, Jr. <wgt...@gmail.com> > wrote: >> >> Kevin, >> >> Thanks for bringing this up. There's been some discussion of spinning >> up an AppSec group for CAS to help maintain something like. Is this >> something you could participate in? I'd like to see the community >> maintain something of a security audit as well. >> >> The best doc to answer your question at the moment is the CAS Protocol >> doc: >> http://www.jasig.org/cas/protocol >> >> Best, >> Bill >> >> >> On Thu, Jan 31, 2013 at 4:28 PM, Sweere, Kevin >> <kevin.sweere....@gafg.afrl-wrs.hpc.mil> wrote: >> > Hello, >> > >> > To greatly decrease risk to a CAS server, it should only receive clean, >> > safe >> > data from external elements. For example, a CAS webSSO receives SAML >> > messages created by XYZ.com and sent from untrusted user browsers from >> > around the world. It may also receive CRL or OCSP data to check that >> > user's >> > PKI. An intermediate filter can stop unwanted, dangerous data before it >> > even reaches the CAS's NIC. Less effective but acceptable are filters >> > within the CAS server. >> > >> > Data that is safely usable by CAS must be allowed while everything else >> > should be denied. What is the allowable text for incoming messages? >> > Formats? Lengths? What filters exist to do this? (Besides the obvious >> > - >> > URLs, PPS) >> > >> > Thanks, Kevin Sweere, Air Force Research Lab >> > >> > -- >> > You are currently subscribed to cas-dev@lists.jasig.org as: >> > wgt...@gmail.com >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> -- >> You are currently subscribed to cas-dev@lists.jasig.org as: >> kevin.sweere....@gafg.afrl-wrs.hpc.mil >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
