Hi Sue, > I am trying to find out if DSpace has ever been tested for cross-site > scripting and/or SQL injection vulnerabilities?
Yes it has. It was first scanned some years back, and a big exercise was undertaken to clean up all database access via 'safe' centrally-managed database access methods that ensure safe practices such as parameter binding etc. One institutional user of DSpace also undertook a scan during the development of 1.6, which resulted in some additional improvements such as session invalidation. We (The University of Auckland) undertook an IBM AppScan a few months back, and this came out clean. However... we would be foolish to rest on our laurels, trust fully trust automated scans and not to keep up to date with regular testing, so there is always room for more if anyone has access to these tools and the time to run them, or to undertake more manual checks. Also to note for anyone who does ever have concerns: The committers group has fast-track methods of dealing with any possible security issues if they do arise, so please get in contact with any of the central Dursapce team who will be able to pass these on to the committers who ensure that they are dealt with top priority. Thanks, Stuart Lewis IT Innovations Analyst and Developer Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: +64 (0)9 373 7599 x81928 ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
