10:18 a.m.
Hi all,
Many thanks for the feedback!
In response to Rolands note below, I agree and at SURFconext we have had
a pretty hard time finding security testers that could indeed get into
the core of the saml/oidc implementation.
We ended up hiring some security experts from a German Uni in the end.
That said, I think it would be good to have a baseline for SaToSa.
Indeed as sugested, it needs to be clear what was tested and how. This
could then serve as the starting point for further more indepth analysis.
E.g. SURFnet might actually be willing to fund the latter, should we get
a green light to bring our SaToSa based services in production. We are
required to to perform a security audit of the software we use before we
bring stuff into production.
Cheers,
Niels
On 04-07-18 16:08, Roland Hedberg wrote:
Hi
--
Niels van Dijk Technical Product Manager Trust & Security
Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5
SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
www.surfnet.nl www.openconext.org
On 4 Jul 2018, at 12:17, Ivan Kanakarakis
<ivan.kanak at gmail.com
<mailto:ivan.kanak at gmail.com>> wrote:
On Wed, 4 Jul 2018 at 13:01, Niels van Dijk <niels.vandijk at surfnet.nl
<mailto:niels.vandijk at surfnet.nl>> wrote:
I’d also like to know the answers to Ivan’s questions.
When we’re talking about the SaToSa shell (front and backends) then
anyone looking for vulnerabilities must
be very good at the specific protocols used and have the mindset of a
hacker.:-)
If that is the case here then I’m really, really looking forward to
the result.
If not then I frankly question whether the work is useful.
My 2 c
— Roland
The higher up you go, the more mistakes you are allowed. Right at the
top, if you make enough of them, it's considered to be your style.
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10
May 1899-1987)
No worries (yet), this is not about issues we have uncovered.
We have the opportunity however to have a team from the GEANT
project review the code of SaToSa. We already had them do a review
of the InAcademia service itself, now they can look at the code.
I think that would be great! Is there a process for it? What is
checked; how; and what for?