Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

On Fri, Apr 13, 2018, 4:09 PM Aaron Bedra wrote: > Penetration testing is something performed on an application, but a source > code review of the language is certainly an interesting idea. My company > does these all the time. I ran this by my folks and there was

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Thanks for the shout Alex. Jason reached out to me directly but I figured it would be better to answer this for the broader group. I’ve got a lot of thoughts around this and I am happy to dive deeper into any of these as well. On the topic of static analysis, I don’t think that application

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Penetration testing is something performed on an application, but a source code review of the language is certainly an interesting idea. My company does these all the time. I ran this by my folks and there was certainly interest. If we could publish the results and create a healthy discussion

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

I'd love an independent penetration and security audit of the Clojure codebase. Especially around the socket repl in a localhost restricted way and making sure its not exploitable. I wonder how much it costs, and if Clojurist together could have one funded. -- You received this message

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

The socket repl is inherently not secure. It allows anyone to connect and run arbitrary code on the process. However, by default it is not running - you need to add extra system properties to start the server(s). If someone can start your server with arbitrary system properties, I'd say that is

Using Clojure for public facing system in a bank - code security scanning - any luck?

Hey Jason, I have looked at the Fortify reports and as you mention, it contains thousands of items. I spent some time looking at it and while I did not examine every item, 100% of the items I did look at were either a false positive or unimportant. We have no plans to satisfy Fortify by

Using Clojure for public facing system in a bank - code security scanning - any luck?

We work providing software to banks, partly in cloud but largely on premise products. We have been Java based for many years, but now looking to move to Clojure as we all love it. While on almost every front it is looking good, our market causes us to need to clearly demonstrate a high level

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

On Friday, April 13, 2018 at 8:38:51 AM UTC-5, Jason Turner wrote: > > Hi Alex, > > Thanks for the rapid feedback. Before anything else I should say that we > loved Clojure before using it at work, and we're even more in love now we > are using it at work - a huge thankyou to the core team and

How to Validate Timestamp in Clojure

How to validate timestamp in clojure?? -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Excellent Alex - thanks a lot. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from

Re: Using Clojure for public facing system in a bank - code security scanning - any luck?

Hi Alex, Thanks for the rapid feedback. Before anything else I should say that we loved Clojure before using it at work, and we're even more in love now we are using it at work - a huge thankyou to the core team and Rich, and a great community. Yes - I did see your previous comment but as was