[
https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592940#action_12592940
]
Jonathon Wong commented on OFBIZ-1525:
--------------------------------------
> Note that there are no *proved* security issue currently, just possible
> breaches.
Perhaps no one has taken the time to breach the security related to these
issues. However, it doesn't take much time to do so! Certain "patterns" of
security mechanisms are quite textbook; the violation of these "patterns"
invariably means a security hole. Proving these textbook cases is easy via
maths or logic. Proving via experimentation isn't much more difficult.
Is it a policy to wait for an actual reported breach before a textbook case is
resolved? In some of my projects, I was subject to a "security audit" (like an
"interview" for OFBiz) before I could even qualify for tender. None of my
projects could use OFBiz security "as is"; they all needed a replacement
security module.
> Issue to group current existing security concerns
> -------------------------------------------------
>
> Key: OFBIZ-1525
> URL: https://issues.apache.org/jira/browse/OFBIZ-1525
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
> Affects Versions: SVN trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
>
> The goal of this virtual issue is only to group together all OFBiz security
> issues (pending or closed).
> Note that there are no *proved* security issue currently, just possible
> breaches.
> This issue should never be closed
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
