[Zope] OWASP relevance?
Chris McDonough
chrism at plope.com
Fri Mar 18 13:52:16 EST 2005
I hadn't heard of these before but all of them of them appear to require
some run-of-the-mill good coding practices and a few are helped by Zope
Unvaliated input - don't trust input from users if you use it
to construct, say, a SQL query. Zope attempts
to mitigate/enforce this by encouraging you
to use special DTML tags for SQL methods.
Many other things exist here as well.
Broken access control - set Zope security up properly.
Broken auth and session management - use SSL only and don't store
cookies persistently.
XSS - Zope's ZMI is resistant to this, you'll need to make sure
your own app is too. Huge topic, not always fixable.
Buffer overflows - none known that are exploitable via Zope itself.
Injection flaws - a nonissue for Zope proper, it doesn't
execute any system commands. Might be a problem
for custom apps.
Improper error handing - turn off debug mode, get rid of
VerboseSecurity.
Insure storage - encrypt your content. Turn on password encryption
in your user folder.
Denial of service - totally a per-application sort of issue, you
need to "think like a scumbag" to fix most
of the issues.
Insecure configuration management - Zope ships "default secure" AFAIK.
- C
On Fri, 2005-03-18 at 13:34, Bill Seitz wrote:
> Are any of the OWASP guidelines either (a) a non-risk by default in
> Zope, or (b) documented in terms of specific Zope practices to
> follow/avoid?
>
> http://www.owasp.org/documentation/topten.html
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
More information about the Zope
mailing list