[ckan-discuss] CKAN security report?

Wed Oct 16 00:49:51 BST 2013

Hi Rufus,
We're working with some security folks at a well-known university and we're wondering if it's ok to do penetration testing with demo.ckan.org.

Was under the impression that it had the latest release and is reset periodically.

Is it OK?

Thanks,
Joel

Sent from my mobile phone

> On Oct 15, 2013, at 6:49 PM, Rufus Pollock <rufus.pollock at okfn.org> wrote:
> 
> Hi Andrew,
> 
> This sounds like it could be useful and appreciate you may not want to share on-list (though I doubt the results of an automated tool are that sensitive). If you could put this up somewhere (perhaps password protected) that would be great!
> 
> Rufus
> 
> 
>> On 15 October 2013 18:36, Koebrick, Andrew (MNIT) <andrew.koebrick at state.mn.us> wrote:
>> I recently had our development instance of CKAN run through HP WebInspect, looking for Vulnerabilities.  The report is not that useful in that it is over 1864 pages long (!), due to reporting the same issues on every page where they are present (i.e. “Logins Sent Over Unencrypted Connection)“ shows up once for every language version (i.e.  /sl/user/login and /ar/usr/login).
>> 
>>  
>> 
>> But if anyone would like to look at a copy I could put it up online someplace behind a generic username / password .  I am a little hesitant to just post on our public site.
>> 
>>  
>> 
>> I did not see any deal stoppers, but confess I have not reviewed every one of the 5272 “vulnerabilities” found.
>> 
>>  
>> 
>> Andrew
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> From: ckan-discuss-bounces at lists.okfn.org [mailto:ckan-discuss-bounces at lists.okfn.org] On Behalf Of Rufus Pollock
>> Sent: Tuesday, October 15, 2013 7:06 AM
>> To: Maurizio Napolitano
>> Cc: ckan-discuss at lists.okfn.org
>> Subject: Re: [ckan-discuss] CKAN security report?
>> 
>>  
>> 
>> Maurizio: CKAN was formally pen-tested by the UK government a couple of years ago and was fine. Be delighted to hear if others have done other security audits on CKAN.
>> 
>>  
>> 
>> Rufus
>> 
>>  
>> 
>> On 15 October 2013 09:14, Maurizio Napolitano <napo at fbk.eu> wrote:
>> 
>> Many people always ask me if CKAN has passed security tests.
>> There are people on this list who have some reference document?
>> Thanks a lot!
>> 
>> _______________________________________________
>> ckan-discuss mailing list
>> ckan-discuss at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/ckan-discuss
>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>> 
>> 
>> 
>> 
>>  
>> 
>> --
>> 
>> Rufus Pollock
>> Founder and Executive Director | skype: rufuspollock | @rufuspollock
>> The Open Knowledge Foundation
>> Empowering through Open Knowledge
>> http://okfn.org/ | @okfn | OKF on Facebook |  Blog  |  Newsletter
>> 
> 
> 
> 
> -- 
> Rufus Pollock
> Founder and Executive Director  |  skype: rufuspollock  |  @rufuspollock
> The Open Knowledge Foundation
> Empowering through Open Knowledge
> http://okfn.org/  |  @okfn  |  OKF on Facebook  |  Blog  |  Newsletter
> _______________________________________________
> ckan-discuss mailing list
> ckan-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-discuss
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20131015/c6ea5b46/attachment-0001.htm>