[jira] Commented: (OFBIZ-1525) Issue to group current existing security concerns

["Jonathon Wong (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592940#action_12592940 ] 

Jonathon Wong commented on OFBIZ-1525:
--------------------------------------

> Note that there are no *proved* security issue currently, just possible breaches.

Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult.

Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.

> Issue to group current existing security concerns
> -------------------------------------------------
>
>                 Key: OFBIZ-1525
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1525
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: SVN trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>
> The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).
> Note that there are no *proved* security issue currently, just possible breaches.
> This issue should never be closed 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.