Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Thanks a lot Aaron for getting in touch. We are pretty much following all the practices you have listed - and I agree that they overall have more impact than static analysis, and can do more to lead to a secure deliverable; it is good though to note them and review to what extent we can make

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Dragan our experience is that organisations often adopt something like BlackDuck and then use that as their benchmark. On Sun, Apr 15, 2018 at 10:59 AM, Dragan Djuric wrote: > Hi all. Very interesting thread! I guess that not many Clojure developers > are in this situation,

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

On Sun, Apr 15, 2018, 4:59 AM Dragan Djuric wrote: > Hi all. Very interesting thread! I guess that not many Clojure developers > are in this situation, but I hope many more will be; that would mean that > Clojure got the foot in the door of the enterprise. > > Gregg, I need a

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Hi all. Very interesting thread! I guess that not many Clojure developers are in this situation, but I hope many more will be; that would mean that Clojure got the foot in the door of the enterprise. Gregg, I need a little clarification on the last thing you mentioned: Is a dependency treated

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

On Fri, Apr 13, 2018, 4:09 PM Aaron Bedra wrote: > Penetration testing is something performed on an application, but a source > code review of the language is certainly an interesting idea. My company > does these all the time. I ran this by my folks and there was

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Penetration testing is something performed on an application, but a source code review of the language is certainly an interesting idea. My company does these all the time. I ran this by my folks and there was certainly interest. If we could publish the results and create a healthy discussion

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Thanks for the shout Alex. Jason reached out to me directly but I figured it would be better to answer this for the broader group. I’ve got a lot of thoughts around this and I am happy to dive deeper into any of these as well. On the topic of static analysis, I don’t think that application

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

The socket repl is inherently not secure. It allows anyone to connect and run arbitrary code on the process. However, by default it is not running - you need to add extra system properties to start the server(s). If someone can start your server with arbitrary system properties, I'd say that is

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

I'd love an independent penetration and security audit of the Clojure codebase. Especially around the socket repl in a localhost restricted way and making sure its not exploitable. I wonder how much it costs, and if Clojurist together could have one funded. -- You received this message

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Excellent Alex - thanks a lot. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

On Friday, April 13, 2018 at 8:38:51 AM UTC-5, Jason Turner wrote: > > Hi Alex, > > Thanks for the rapid feedback. Before anything else I should say that we > loved Clojure before using it at work, and we're even more in love now we > are using it at work - a huge thankyou to the core team and

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Hi Alex, Thanks for the rapid feedback. Before anything else I should say that we loved Clojure before using it at work, and we're even more in love now we are using it at work - a huge thankyou to the core team and Rich, and a great community. Yes - I did see your previous comment but as was