TurnKey Linux Virtual Appliance Library

OWASP Top-10

Anon's picture

{I made this post before, but it dissapeared into the Æether}

Considering the sheer number of (frikkin' awesome) web-apps, little (or at leat too little) consideration has been given to the InfoSec (wheras that really should be the first concern).

Would there be some way to validate appliances agains the OWASP Top-10?

I'm not suggesting it's the be-all & end-all of security concerns, but it sure as hell is a very good starting-point. I'm aware that much of the issues actually reside withthe indivitual application, but TKL systems can go a very long way towards addressing any possible shortcomings & so mitigate the risks.

Once the Top-10 has been covered, it will also inherently address some of the requirements for PCI DSS.

Much of this may seem common-sense, but it's not

Ideas?

- J

Liraz Siri's picture

TurnKey could make OWASP checks easier

Having all these web applications in one place should make it easy to run some tests against them, maybe even automatically? (e.g., write a script that boots the ISO in Live CD mode into KVM then runs some checks against the webapp).

OTOH, this isn't really a TurnKey specific thing. We just package these web applications. If there are security issues we should be reporting them to upstream .

So I'm somewhat unsure if this fits well with the scope of TurnKey but I'd be delighted if community members that know their way around this stuff picked up the guantlet. Come to think of it, you sound like you know what you're talking about. If you want it the job is yours... :)

Anon's picture

InfoSec validation

Thanks for the prompt feedback, Liraz

The automated nature of TKL's could make life easier, and even leveraging tech like landscape could simplify it even more (once I get my head around it).

I too rely on updated repo's of the respective apps near-automatically keep systems patched, but doing so blindly presents it's own problems. But you're right in you assement that it's each seperate application's maintainers to keep things patched.

My InfoSec & Pen-Testing is not up-to-snuff unfortunately, but I would be willing to hone my skills by hardening systems I use.

Luckily the launchpad is alredy in place to file bugs & submit reports, so I'll try & provide my contributions for vetting & inclusion back there.

Cheers

== FLOSS'er ==

Jeremy's picture

I had never heard of OWASP

Not that I'm a developer but still I like to keep my eye out for stuff like that, so thanks for the info.

While I agree Liraz that it is sort of outside the scope of TKL, the community here is in quite a good position to test this sort of thing IF we had some sort of, let me think, ummm, I know  - appliance (or script or somesuch thing)! If we were to have such a thing (hint, hint Anon) then we'd be in a much better position to find out about that sort of stuff. :)

Perhaps too (once this script/appliance/whatever) exists then TKL could play their part in assisting OWASP to gain greater covereage by rating each of the appliances against the Top 10? This would increase end user awareness both of OWASP and their Top 10. But also how the appliances (and obviously their components) stack up. Something for the "one day" section of your 'to-do' list Liraz?

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)