Security - Development
-
❏
July 2019 - results
13
Harsh P.
Jitesh D.
-
✔
Suppress emails from dev.islg
9
Harsh P.
-
✔
May 2019 scan - results
39
Harsh P.
Jitesh D.
Morgan M.
-
✔
Execute OWASP follow-up scan
12
Ryan K.
-
✔
High (Medium) SQL injection 1
2
Harsh P.
-
✔
High (Medium) SQL injection 2 - Microsoft SQL Server
2
Harsh P.
-
✔
High (Medium) Remote OS Command Injection
2
Harsh P.
-
✔
Medium (Medium) Format String Error
2
Harsh P.
-
✔
High (Medium) Cross Site Scripting (Reflected) - PENDING TESTING
5
Harsh P.
-
✔
Medium (Medium) Application Error Disclosure - PENDING TESTING
4
Harsh P.
-
✔
Medium (Medium) Directory Browsing - PENDING TESTING
6
Harsh P.
-
✔
Encrypt Notepad Details
61
Anil V.
Harsh P.
Ryan K.
-
✔
Research security standards for ISLG to adhere to
Ryan K.
-
✔
Delete Administrator Comments from user accounts
3
Anil V.
Harsh P.
-
✔
Carbon60 - Request infrastructure & server security standards info
Ryan K.
-
✔
Problem with FTS bookmark links re Refine Search filters
14
Anil V.
Are we still working through resolving these to-do's?
Thanks,
Morgan
We are working on Remote OS Command Injection and Format String error task simultaneously. Both task need R & D to resolve the error.
We will keep you updated.
Morgan
I know that resources are 100% dedicated to the ISLG Rebuild and HTML Conversion projects. However, I think we should still dedicate some time each week to continue working through the outstanding security issues flagged in this to-do list. Also, I'm sure issues resolved in the current application could help inform the team to prevent the same issue from coming up again in the new ISLG and ILG. What are your thoughts on how to allocated resources appropriately?
Thanks,
Morgan
An additional note on the above. I discussed this with
Thanks,
Morgan
We have already analyzed some of the security development tasks and found that some tasks need fundamentally change of current ISLG application structure
(For an ex. SQL Injection - 1 and SQL Injection - 2 both tasks need to change the Querystring structure which we passed as parameter in application's URL.)
Please take a note that we have developed new ISLG architecture with prevent all security aspects. Hence, New ISLG application will never found security related issues.
But, We will definitely look into the current Security Development tasks and try to resolve as much as possible.
Could you please tell us that Security Development tasks are on High Priority or not ?
That makes sense. We can avoid the tasks that require fundamentally changing the application structure, as long as we're ensuring the new application will not have the same issues.
How about this:
Let us know if that approach makes sense.
Thanks,
Morgan
We can discuss this during our call in 20 minutes, but just confirming that you're planning to perform an updated security scan to identify any high priority problems on the current ISLG application.
Thanks,
Morgan
currently you are listed security issue in current ISLG, I have study those points and find out reason behind it, Major factor of those points are URL, In current ISLG parameter/data passing in URL and it will cause security issue like injection for security aspects so I am planning to omit all parameter from URL so in new ISLG site we are developing such way and all action/operation should be partial rendering with AJAX.
In short, Add/Edit will be render in browser for each functionality but not change URL. so when u suppose to refresh it will display original page in browser.
Please find attached video of screen capture for better understanding.
Regardless,
Thanks,
Morgan
The scan completed yesterday and I'm currently reviewing the results. I'll post the report later today.
Thanks!
Ryan
Morgan
It will not create any problem in any functionality, as specially you are talking about bookmark so it will manage by business logic so all functionality/cases have in our hand so we will do business logic or impliment functinality in such way and we do achieve all functionality. so don't worry about it.
Thanks,
Jitesh
Thanks,
Morgan