Thanks a lot Aaron for getting in touch.
We are pretty much following all the practices you have listed - and I agree
that they overall have more impact than static analysis, and can do more to
lead to a secure deliverable; it is good though to note them and review to what
extent we can make th
Dragan our experience is that organisations often adopt something like
BlackDuck and then use that as their benchmark.
On Sun, Apr 15, 2018 at 10:59 AM, Dragan Djuric wrote:
> Hi all. Very interesting thread! I guess that not many Clojure developers
> are in this situation, but I hope many more
On Sun, Apr 15, 2018, 4:59 AM Dragan Djuric wrote:
> Hi all. Very interesting thread! I guess that not many Clojure developers
> are in this situation, but I hope many more will be; that would mean that
> Clojure got the foot in the door of the enterprise.
>
> Gregg, I need a little clarification
Hi all. Very interesting thread! I guess that not many Clojure developers
are in this situation, but I hope many more will be; that would mean that
Clojure got the foot in the door of the enterprise.
Gregg, I need a little clarification on the last thing you mentioned: Is a
dependency treated a
On Fri, Apr 13, 2018, 4:09 PM Aaron Bedra wrote:
> Penetration testing is something performed on an application, but a source
> code review of the language is certainly an interesting idea. My company
> does these all the time. I ran this by my folks and there was certainly
> interest. If we coul
Penetration testing is something performed on an application, but a source code
review of the language is certainly an interesting idea. My company does these
all the time. I ran this by my folks and there was certainly interest. If we
could publish the results and create a healthy discussion my
Thanks for the shout Alex. Jason reached out to me directly but I figured it
would be better to answer this for the broader group. I’ve got a lot of
thoughts around this and I am happy to dive deeper into any of these as well.
On the topic of static analysis, I don’t think that application stati
The socket repl is inherently not secure. It allows anyone to connect and
run arbitrary code on the process. However, by default it is not running -
you need to add extra system properties to start the server(s). If someone
can start your server with arbitrary system properties, I'd say that is
I'd love an independent penetration and security audit of the Clojure codebase.
Especially around the socket repl in a localhost restricted way and making sure
its not exploitable.
I wonder how much it costs, and if Clojurist together could have one funded.
--
You received this message because
Excellent Alex - thanks a lot.
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from
On Friday, April 13, 2018 at 8:38:51 AM UTC-5, Jason Turner wrote:
>
> Hi Alex,
>
> Thanks for the rapid feedback. Before anything else I should say that we
> loved Clojure before using it at work, and we're even more in love now we
> are using it at work - a huge thankyou to the core team and
Hi Alex,
Thanks for the rapid feedback. Before anything else I should say that we
loved Clojure before using it at work, and we're even more in love now we
are using it at work - a huge thankyou to the core team and Rich, and a
great community.
Yes - I did see your previous comment but as was
Hey Jason,
I have looked at the Fortify reports and as you mention, it contains thousands
of items. I spent some time looking at it and while I did not examine every
item, 100% of the items I did look at were either a false positive or
unimportant. We have no plans to satisfy Fortify by “fixing
We work providing software to banks, partly in cloud but largely on premise
products.
We have been Java based for many years, but now looking to move to Clojure
as we all love it. While on almost every front it is looking good, our
market causes us to need to clearly demonstrate a high level of
14 matches
Mail list logo
