Hello Arthur, Am 21.02.2018 um 16:42 schrieb Arthur Hewitt:
1. Does a threat model for OpenXPKI exist and if so, can it be shared? I recently created one myself and would be happy to share if anyone is interested. It would be interesting to compare it to any existing ones to see how I did :)
The core team spend some efforts when doing the architecture (which is basically layed out in the Workshop slides avail on the website) but at least "we" never did one formally. If you share it, we are happy to discuss it.
2. Has OpenXPKI been pen tested, and if so, can you share the results or at least the high level overview?
Yes - a customer with a large installation did so, we are not allowed to share the detailed results but the findings have been fixed in the upstream project.
3. Does OpenXPKI do any input validation to mitigate XSS and/or SQLi?
Sure ;)Almost all output is rendered using the Ember Framework which applies HTML escaping on all items, raw output is handled by filters in the backend so you should not be able to perform a useful XSS.
Most input is compared against a regex and all SQL queries are done by using placeholder-patterns in the database layer, so as long as this is not broken, SQL injection should not be possible.
Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
