Any updates on this? I am in the process of finding a supplier to pen test, wondering if i should be prepared for anything.
On Friday, October 9, 2015 at 11:26:55 AM UTC-4, Michael M wrote: > > My company has to have an outside firm Pen test all Web-Service > applications. So I am spinning up two internal services and both are going > to be tested around November before they go into Prod from Non-Prod. I'm > starting talks with the InfoSec team to see if I can share the findings of > the test. > > On Thursday, October 8, 2015 at 12:13:33 PM UTC-7, Richard wrote: >> >> :) >> >> Nice to heard that! >> >> Richard >> >> On Thu, Oct 8, 2015 at 2:59 PM, Niphlod <[email protected]> wrote: >> >>> not really. >>> I built some apps on web2py that are live and in production, and since >>> EVERY app in my environment NEEDS to pass a Qualys scan to be live and >>> production ready, I know that MY apps survive a Qualys scan with flying >>> colors. >>> Point being "ATM web2py does not expose any obvious/hidden threat that >>> Qualys identifies". >>> I'll reinstate the obvious though: this "just" means that if you code >>> responsibly, your app is safe. It's not too little of a "just". But it's a >>> "just" nonetheless. >>> Noone is saying that EVERY app you code will pass a white-hat attempt if >>> it's hosted on web2py, and I don't think that any framework in any language >>> will ever have the guts to assure it. >>> >>> >>> On Thursday, October 8, 2015 at 8:38:05 PM UTC+2, Richard wrote: >>>> >>>> @Antonio >>>> >>>> I think Simone just point to the tool that can be use for such >>>> purpose... You can use it over your App. From my understanding the App >>>> tested is the Ian App... >>>> >>>> Richard >>>> >>>> On Thu, Oct 8, 2015 at 1:19 PM, António Ramos <[email protected]> >>>> wrote: >>>> >>>>> Niphold, >>>>> i dont see where you are pointing on https://www.qualys.com/ >>>>> where is the web2py app that survived the security scan ? >>>>> >>>>> thank you >>>>> >>>>> 2015-10-05 11:25 GMT+01:00 Niphlod <[email protected]>: >>>>> >>>>>> here in ***undisclosed company**** web2py survives a >>>>>> https://www.qualys.com/ security scan with no reports whatsoever. >>>>>> >>>>>> >>>>>> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>>>>>> >>>>>>> Hi, just looking back over anything about penetration testing and >>>>>>> web2py - does anyone know of any recent (or any at all) testing of >>>>>>> web2py? >>>>>>> We're getting close to our first customers on an app we've been >>>>>>> developing >>>>>>> the last year so really need to try and pick it to pieces now while we >>>>>>> have >>>>>>> a few months to work on anything we need to. >>>>>>> >>>>>>> Thanks >>>>>>> Ian >>>>>>> >>>>>>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>>>>>> >>>>>>>> Thank you Dave for the feedback. It would be nice to have the >>>>>>>> results of those tests (Cenznic, Hailstorm, Quails) published >>>>>>>> somewhere. >>>>>>>> Once in a while people ask about this. >>>>>>>> >>>>>>>> Massimo >>>>>>>> >>>>>>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>>>>>> >>>>>>>>> Well.... >>>>>>>>> >>>>>>>>> I can't say that I have tested the current trunk version, but last >>>>>>>>> December I ran a pretty exhaustive penetration test against a site >>>>>>>>> developed web2py. The results were very good. No findings above >>>>>>>>> low. The >>>>>>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and >>>>>>>>> one >>>>>>>>> other automated vulnerability test suite (I cant remember which at >>>>>>>>> the >>>>>>>>> moment) against it without issue. >>>>>>>>> >>>>>>>>> Here are some things that can cause issue though... >>>>>>>>> >>>>>>>>> * anywhere you use the XML() method in a view you should make sure >>>>>>>>> you have validation turned on. Even though the framework is >>>>>>>>> resilient and >>>>>>>>> does a good job of sanitizing data in & out, you can still end up in >>>>>>>>> XSS or >>>>>>>>> XSRF trouble with XML(). >>>>>>>>> >>>>>>>>> * redirects can trip up or slow down a lot of vuln scanners. >>>>>>>>> Watch out if you perform your own testing that you're not getting >>>>>>>>> false >>>>>>>>> negatives. >>>>>>>>> >>>>>>>>> I know some people that would take on a more "formal" assessment >>>>>>>>> if there is consensus.... >>>>>>>>> >>>>>>>>> Dave >>>>>>>>> >>>>>>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>>>>>> >>>>>>>>>> One of the awesome things about web2py is of course the built-in >>>>>>>>>> and well-documented resilience against a range of attack methods, >>>>>>>>>> but I was >>>>>>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>>>>>> probe >>>>>>>>>> any potential weaknesses? >>>>>>>>>> >>>>>>>>>> Just out of interest :) >>>>>>>>>> >>>>>>>>> -- >>>>>> Resources: >>>>>> - http://web2py.com >>>>>> - http://web2py.com/book (Documentation) >>>>>> - http://github.com/web2py/web2py (Source code) >>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "web2py-users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
