Thanks a lot Aaron for getting in touch.
We are pretty much following all the practices you have listed - and I agree
that they overall have more impact than static analysis, and can do more to
lead to a secure deliverable; it is good though to note them and review to what
extent we can make
Dragan our experience is that organisations often adopt something like
BlackDuck and then use that as their benchmark.
On Sun, Apr 15, 2018 at 10:59 AM, Dragan Djuric wrote:
> Hi all. Very interesting thread! I guess that not many Clojure developers
> are in this situation,
On Sun, Apr 15, 2018, 4:59 AM Dragan Djuric wrote:
> Hi all. Very interesting thread! I guess that not many Clojure developers
> are in this situation, but I hope many more will be; that would mean that
> Clojure got the foot in the door of the enterprise.
>
> Gregg, I need a
Hi all. Very interesting thread! I guess that not many Clojure developers
are in this situation, but I hope many more will be; that would mean that
Clojure got the foot in the door of the enterprise.
Gregg, I need a little clarification on the last thing you mentioned: Is a
dependency treated
On Fri, Apr 13, 2018, 4:09 PM Aaron Bedra wrote:
> Penetration testing is something performed on an application, but a source
> code review of the language is certainly an interesting idea. My company
> does these all the time. I ran this by my folks and there was
Penetration testing is something performed on an application, but a source code
review of the language is certainly an interesting idea. My company does these
all the time. I ran this by my folks and there was certainly interest. If we
could publish the results and create a healthy discussion
Thanks for the shout Alex. Jason reached out to me directly but I figured it
would be better to answer this for the broader group. I’ve got a lot of
thoughts around this and I am happy to dive deeper into any of these as well.
On the topic of static analysis, I don’t think that application
The socket repl is inherently not secure. It allows anyone to connect and
run arbitrary code on the process. However, by default it is not running -
you need to add extra system properties to start the server(s). If someone
can start your server with arbitrary system properties, I'd say that is
I'd love an independent penetration and security audit of the Clojure codebase.
Especially around the socket repl in a localhost restricted way and making sure
its not exploitable.
I wonder how much it costs, and if Clojurist together could have one funded.
--
You received this message
Excellent Alex - thanks a lot.
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from
On Friday, April 13, 2018 at 8:38:51 AM UTC-5, Jason Turner wrote:
>
> Hi Alex,
>
> Thanks for the rapid feedback. Before anything else I should say that we
> loved Clojure before using it at work, and we're even more in love now we
> are using it at work - a huge thankyou to the core team and
Hi Alex,
Thanks for the rapid feedback. Before anything else I should say that we
loved Clojure before using it at work, and we're even more in love now we
are using it at work - a huge thankyou to the core team and Rich, and a
great community.
Yes - I did see your previous comment but as was
12 matches
Mail list logo