[Idpy-discuss] Software vulnerabilities in SaToSa

Hi all, No worries (yet), this is not about issues we have uncovered. We have the opportunity however to have a team from the GEANT project review the code of SaToSa. We already had them do a review of the InAcademia service itself, now they can look at the code. Their question is however, which areas would be of most interest to look at, as just starting at line 1 is probably not a good idea ;) Could you also express why these code areas are most sensitive? * My initial guess would be the code that handles incoming OIDC and SAML is most critical (so the backends). Including the bits that do validation of these requests. * Next the code that handles business logic of interpreting the internal state and make the responses out of that * Then the frontends Does that make sense? Should we also include looking into the libraries deeply? In addition are you aware of additional reviews that were performed? If so we would be really interested to learn about these. Ofcause we will share the finding in a confidential way. By the way, does idpy have some contingency rules about that already? Thanks, Niels -- Niels van Dijk Technical Product Manager Trust & Security Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5 SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands www.surfnet.nl www.openconext.org