Penetration testing is something performed on an application, but a source code review of the language is certainly an interesting idea. My company does these all the time. I ran this by my folks and there was certainly interest. If we could publish the results and create a healthy discussion my company would be happy to participate and do this at a fixed and heavily discounted price.
In terms of socket repl it is and will always be a security anti-pattern. But that should be understood and considered as a trade-off for the ability to access a running program. There could be recommendations made, but I don’t see a lot of value in pointing out what we already know to be a poor idea from a security perspective. I think that conversation should shift towards compensating controls around the environment to make sure limitations on repl access are present and auditable. > On Apr 13, 2018, at 12:51 PM, Didier <[email protected]> wrote: > > I'd love an independent penetration and security audit of the Clojure > codebase. Especially around the socket repl in a localhost restricted way and > making sure its not exploitable. > > I wonder how much it costs, and if Clojurist together could have one funded. > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to [email protected] > Note that posts from new members are moderated - please be patient with your > first post. > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
