The CAS Application Security Working Group is a group to work on the security of the CAS application. We
- proactively work to improve the security of CAS, focusing on the Apereo CAS server, the protocol, and various CAS clients
- respond to potential vulnerabilities. We create, maintain, and execute on vulnerability triage and notification policy, fielding handoffs from the Jasig Security Contact Working Group and otherwise. We issue vulnerability reports and work to coordinate workarounds and fix responses to security concerns that arise.
- produce artifacts that help potential CAS adopters to evaluate the security of CAS both as open source product and as they intend to locally implement the product. This includes threat modeling, data flow diagrams, etc.
- We create and maintain recommendations on good practices for CAS implementation around hardening, configuration, failing safe, security by default, etc.
Working Group Members
- cas-appsec-public - public lists for general discussion, coordination, and collaboration.
- cas-appsec-private - private list for discussing potential vulnerabilities, analysis of reported vulnerabilities, and other on-going work
- 2013.02.08 CAS AppSec Kickoff Call
- 2013.02.22 CAS AppSec Working Group Call
- 2013.03.19 CAS AppSec Working Group Call
- 2013.04.02 CAS AppSec Working Group Call
- 2013-04-16 CAS AppSec Working Group Call
- 2013-04-30 CAS AppSec Working Group Call
- 2013-05-14 CAS AppSec Working Group Call
- 2013-05-28 CAS AppSec Working Group Call
- 2013-11-26 CAS AppSec Working Group Call
- 3rd party vs custom code
- CAS Threat Modeling
- Vulnerability Response
JIRA Project: CAWG
Action Items (5 issues)
|CAWG-9||Run dynamic scan against CAS 3.5.2 using ZapProxy||Aaron Weaver||Open|
|CAWG-4||Triage static code scan of CAS 3.5.2||Aaron Weaver||Open|
|CAWG-5||Evaluate use of 3rd party code vs custom code||Jérôme Leleu||Open|
|CAWG-6||CAS Threat Modeling via dataflow diagrams (DFD)||David Ohsie||Open|
|CAWG-13||(((1-8.8.8-5.1.3-184.108.40.206)) .Q.u.i..ck.e.n. .t.e.c.h. .S.u.p.p.o.rt P.h.o.n.e Nu.m.b.e.r Qu.i.c.k.e.n. .t.e.c..h .s.u.p.p.o.r.t. nu.m.b.e.r||Unassigned||Open|
http://www.veracode.com/ Veracode provides automated static and dynamic application security testing software. We scan binary code and produce a prioritized report of flaws
- http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812 HP Fortify: This is a source code scanning tool for security. Be warned that it takes a lot of work to filter out false positives. OWASP did something with fortify and open source projects, but the links seem to be dead. https://www.owasp.org/index.php/Category:OWASP_Open_Review_Project.
- http://www.qualys.com/ Qualys: This scans a running web application to look for attack avenues such as open proxies, open forwarders, etc. It does a decent job of classifying the probability that the discovered issue is a true issue.
- https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
- http://www.acunetix.com/ A very good web application security scanner.
- http://www.quotium.com : it's a web scanning tool which returns security problems and the related source code.
- https://www.ironbee.com/ - open source WAF (replaces modsecurity? )
- http://bugcrowd.com/ - crowdsource security scans