...
General OWASP Top Ten info can go here here ???? - go through top 10 (where applicable) Put details under uPortal. All of the following except - need explanation why 3,8,9 don't apply to certain Jasig projects (9 could apply to CAS).
- Cross site scripting
- SQL injections
- Indirect object reference - synthetic keys (user 8 tries to view user 9 - doesn't work) All uPortal channels perform an authorization check
- CSERF- follow a request redirect approach - every request has to validate and then an action redirect. Data leak protection is almost impossible - javascript sandboxing.
...
- uPortal
- reference to "becoming a uPortal committer" (on wiki) ???
- uPortal Framework
- why OWASP 3,8,9 don't apply
- Bundled Portlets - just fall under governance?
- Other Jasig Portlets - just fall under governance?
- Custom Portlets (writing your own) - disclaimer regarding home grown portlets (uPortal always sends back only the attributes for the specific porltets which should have access). Portlets don't have access to the portal's attributes unless it is specifically put into that portlet.
- But they are just web apps on your server.
- CA
- why OWASP 3, 8 don't apply
...
Outside Security Efforts
The nature of the open source community requires input and assistance from various users throughout the community. Here is a list of security efforts made by users of Jasig projects who were willing to share their findings
...
References
...
*** Disclaimer ***
John Lews to write.