Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnerability report #216

Open
gassechen opened this issue Jul 29, 2023 · 9 comments
Open

vulnerability report #216

gassechen opened this issue Jul 29, 2023 · 9 comments

Comments

@gassechen
Copy link

Hello. A query. I am developing a software in common lisp, with hunchetoot. To be able to pass it on to production, they asked me what the vulnerability report is. Where can I find that report?
The company works with the ISO/IEC 12207:2008 standard. So the auditors of the norm are the ones who ask for these things. I got the project accepted in common lisp, overcoming the preferences on c#, java and python that the company has. And what they asked me has me a bit baffled, I don't want to have to do it in c# or python because I don't have that information. I thank all of you in advance for helping newbies develop in common lisp.

@gefjon
Copy link
Contributor

gefjon commented Jul 29, 2023

I am not aware of anyone having done a vulnerability report on Hunchentoot. I'm not even sure what a vulnerability report means in this context, honestly.

@mdbergmann
Copy link
Contributor

I think hunchentoot is to plain just a HTTP server to have much of vulnerabilities.
Many vulnerabilities come from applications on top of HTTP.
Like Cross Site Scripting issues, SNI issues, etc.

@hanshuebner
Copy link
Member

@gassechen No entity is providing a vulnerability report for Hunchentoot. The software is community maintained, and there are no formal security reporting and fix channels in place. If ISO/IEC 12207:2008 compliance is required by your organization, you need to prepare yourself to have the required audits be performed by an appropriate third party.

Sadly, the non-functional and non-technical requirements that are imposed by security related compliance frameworks and standards make using niche languages and ecosystems in organizations that use such frameworks difficult. If your project is important enough, you may be able to discuss with your security department what precisely is required by them. Be prepared to provide them with a good description of your project and with a risk assessment that you did on your own. Depending on their workload and their flexibility, they may be willing and able to accommodate you, even though you are not able being back yourself with what would be available with more popular language environments.

@gassechen
Copy link
Author

I understand. Thanks, I'm going to use this software https://www.zaproxy.org/ and a bash script to automate the scanning and detection of vulnerabilities and I hope it's enough for the security department, so I can continue using common lisp

@gassechen
Copy link
Author

image

image

@gassechen
Copy link
Author

image

@mdbergmann
Copy link
Contributor

Response headers can be added as needed. There are tons that PEN testers might suggest to add to prevent some form of attack or exploitation. But this also happens on state-of-the-art Java or other HTTP servers. They don't by default add all the response headers.

@gassechen
Copy link
Author

Thank you. These are the results that this software gave me. Should I make an application in hunchentoot with the GET POST PUT and DELETE verbs to check for more vulnerability suggestions? See how I add the headers in hunchentoot?

@gassechen
Copy link
Author

(defparameter *csp-header*  "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'")


(easy-routes:defroute main ("/" :method :get) ()
  (let ((html (page-root)))
;Generar el HTML utilizando la función table-list*
    (setf (hunchentoot:content-type*) "text/html")
    (setf (hunchentoot:header-out "Content-Security-Policy") *csp-header*)

    (format nil "~a" html)))

all CSP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants