[ckan-discuss] CKAN security report?

Koebrick, Andrew (MNIT) andrew.koebrick at state.mn.us
Wed Oct 16 21:12:39 BST 2013


No, I don't think the report is overly sensitive.  How's this: I will post it for a day or two so whoever wants it can download it.  Then I will delete from the public web:
http://www.mngeo.state.mn.us/CKAN_security.pdf

If anyone reads this email after the report has been yanked, just drop me a note and I will get you a copy.

Andrew


From: Rufus Pollock [mailto:rufus.pollock at okfn.org]
Sent: Tuesday, October 15, 2013 5:50 PM
To: Koebrick, Andrew (MNIT)
Cc: Maurizio Napolitano; ckan-discuss at lists.okfn.org
Subject: Re: [ckan-discuss] CKAN security report?

Hi Andrew,

This sounds like it could be useful and appreciate you may not want to share on-list (though I doubt the results of an automated tool are that sensitive). If you could put this up somewhere (perhaps password protected) that would be great!

Rufus

On 15 October 2013 18:36, Koebrick, Andrew (MNIT) <andrew.koebrick at state.mn.us<mailto:andrew.koebrick at state.mn.us>> wrote:
I recently had our development instance of CKAN run through HP WebInspect, looking for Vulnerabilities.  The report is not that useful in that it is over 1864 pages long (!), due to reporting the same issues on every page where they are present (i.e. "Logins Sent Over Unencrypted Connection)" shows up once for every language version (i.e.  /sl/user/login and /ar/usr/login).

But if anyone would like to look at a copy I could put it up online someplace behind a generic username / password .  I am a little hesitant to just post on our public site.

I did not see any deal stoppers, but confess I have not reviewed every one of the 5272 "vulnerabilities" found.

Andrew



From: ckan-discuss-bounces at lists.okfn.org<mailto:ckan-discuss-bounces at lists.okfn.org> [mailto:ckan-discuss-bounces at lists.okfn.org<mailto:ckan-discuss-bounces at lists.okfn.org>] On Behalf Of Rufus Pollock
Sent: Tuesday, October 15, 2013 7:06 AM
To: Maurizio Napolitano
Cc: ckan-discuss at lists.okfn.org<mailto:ckan-discuss at lists.okfn.org>
Subject: Re: [ckan-discuss] CKAN security report?

Maurizio: CKAN was formally pen-tested by the UK government a couple of years ago and was fine. Be delighted to hear if others have done other security audits on CKAN.

Rufus

On 15 October 2013 09:14, Maurizio Napolitano <napo at fbk.eu<mailto:napo at fbk.eu>> wrote:
Many people always ask me if CKAN has passed security tests.
There are people on this list who have some reference document?
Thanks a lot!

_______________________________________________
ckan-discuss mailing list
ckan-discuss at lists.okfn.org<mailto:ckan-discuss at lists.okfn.org>
http://lists.okfn.org/mailman/listinfo/ckan-discuss
Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss



--

Rufus Pollock

Founder and Executive Director | skype: rufuspollock | @rufuspollock<https://twitter.com/rufuspollock>

The Open Knowledge Foundation<http://okfn.org/>

Empowering through Open Knowledge
http://okfn.org/ | @okfn<http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> |  Blog<http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>



--

Rufus Pollock

Founder and Executive Director | skype: rufuspollock | @rufuspollock<https://twitter.com/rufuspollock>

The Open Knowledge Foundation<http://okfn.org/>

Empowering through Open Knowledge
http://okfn.org/ | @okfn<http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> |  Blog<http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20131016/084ed447/attachment-0001.htm>


More information about the ckan-discuss mailing list