Hi Dieter,
thats what I am tried to explain, maybe not clear enough ... As you
stated the question of OTRS security is first of all a question of the
base system (OS and used applications). After that IMHO you need a
formal check of OTRS (perl) implementation.
But it seems that nobody has done anything in this direction ,-)
regards
Christoph
Dieter Ringhofer schrieb:
Hi Christoph,
it isn't that easy as you try to handle it.
An application must conform to a decent level of security to be usable
per sé. If it offers insufficient security you can do whatever you
want - it's quite unusable.
To illustrate it:
Windows with all of it's backdoors is insecure. Therefore it can never
be a realiable base for online business. Nevertheless when your
application is based on Windows (even an inhouse application!) it is
simply insufficient to double check application's internal security.
You must do a lot more.
See most trivial MS-Office hack:
Install a memory hook and you can forget every internal password
security. It's a stupid implementation.
OTOH you can run a secure LAMP system. When you run an insecure
application with it whole system becomes insecure.
OTRS is an online application. Therefore it must be secure for itself.
Am 23.12.2009 08:25, schrieb Christoph Ohliger:
Peter,
isn´t that first of all a question to LAMP, modsecurity or whatever you
use to implement/protect ? Of course the formal testing requirement of
OTRS may remain.
regards
Christoph
Peter Sharp schrieb:
In order to put OTRS on the outside of our firewall, or let traffic
pass through to the OTRS system, they require it to be secure. Is
there any sort of formal testing or security documentation about the
security of OTRS 2.4.5 or other versions running on apache? Say
security vulnerabilities checked for by a third party
security-checking tool?
Thanks,
Peter
[email protected] <mailto:[email protected]>
------------------------------------------------------------------------
---------------------------------------------------------------------
OTRS mailing list: dev - Webpage:http://otrs.org/
Archive:http://lists.otrs.org/pipermail/dev
To unsubscribe:http://lists.otrs.org/cgi-bin/listinfo/dev
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
---------------------------------------------------------------------
OTRS mailing list: dev - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/dev
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
---------------------------------------------------------------------
OTRS mailing list: dev - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/dev
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
