Darren, I would challenge you by saying the following: 1. In the same sense that it is unreasonable for OpenID to satisfy every identity use case on the planet, you also shouldn't expect a static analysis toolkit to do the same either.
2. Which is worse, having to sort through false positives or to not perform static analysis at all and have OpenID fail once some bad guy busts the implementation so badly that everyone runs away from OpenID? 3. A small correction on OWASP. OWASP DOES perform analysis on OPEN SOURCE implementations at no cost. If you have a commercial version, then you need to pay. The open source implementations simply need to submit their code to http://owasp.fortify.com to get the process started. 4. The link above is merely hosted by Fortify and they provide the tools. The actual execution of scanning isn't even done by Fortify employees but other members of the OWASP community. 5. FYI, I am the project leader for several OWASP projects and am the chapter leader for Hartford (one of the largest). Our next meeting is on Tuesday at 5pm Eastern where we will have Mary Ruddy of Higgins presenting. Our meetings are free to attend and for this one, we will also be webcasting it. The webinar information will be sent out on Monday to the mailing list. Subscribe at: http://lists.owasp.org/mailman/listinfo/owasp-hartford If you would like to attend in person, here is the information: http://www.owasp.org/index.php/Hartford 6. Engaging a reputable third party isn't a bad idea but keep in mind that "part" of their assessment will use the same automated tools. Firms I like include Security Compass (http://www.securitycompass.com) Artec (http://www.artecgroup.net) and Cigital (http://www.cigital.com) Date: Thu, 5 Feb 2009 15:48:06 -0500 From: Darren Bounds <dbou...@gmail.com> Subject: Re: OpenID Security To: "McGovern, James F (HTSC, IT)" <james.mcgov...@thehartford.com> Cc: specs@openid.net Message-ID: <26563eca0902051248o446aa21br23aeb19f743ae...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 I do not believe OWASP presently does any active vulnerability analysis. Rather they provide definition around best practices and reference material around web application security as well as a small set of open source vulnerability analysis and penetration testing tools. With regard to the Fortify link you sent previously; in my experience thus far, I have not found a single automated vulnerability analysis tool that's worth the price tag or the effort involved in tuning it. More often than not they find nothing more than low hanging fruit and false positives. Even worse, they often miss ore than they catch, resulting in a large number of false negatives. Subsequently any 'certification' an automated tool can provide should be taken with a grain of salt. IMO, if a formal security assessment is desirable, it would be much more fruitful to engage a reputable 3rd party to perform one manually. Darren ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
