Another round of independent security audits for Jackson components
3 views
Skip to first unread message
Tatu Saloranta
Feb 19, 2024, 10:13:36 PMFeb 19
to jacks...@googlegroups.com
So, there is this article:
https://ostif.org/dataformatsdatatypes-audit-complete/
which goes over results of recent, second round of security audits
done by OSTIF and AdaLogics. I thought it might be of interest to
anyone interested in software security (including supply-chain attack
aspects).
It is pretty cool to work with experts in this area, and the
investigation uncovered a few issues, most of which were fixed almost
as quickly as they were uncovered.
And although many were not (in my opinion) necessarily important
security concerns (such as, say, Ion format module throwing NPEs on
invalid content), practically all were things that were good to be
fixed (to report invalid content with actual meaningful declared
exception type, for example).
I also think it is great to have external validation/verification of
security aspects: due to the size and complexity of Jackson codebase,
authors are not always best at identifying problem areas. So it is
invaluable having extra pairs of eyes & new toolsets to drill into
potential problem areas.
Anyway, I thought that since this will probably do circles around OSS
software security circles, it's good to share ASAP.
-+ Tatu +-
https://ostif.org/dataformatsdatatypes-audit-complete/
which goes over results of recent, second round of security audits
done by OSTIF and AdaLogics. I thought it might be of interest to
anyone interested in software security (including supply-chain attack
aspects).
It is pretty cool to work with experts in this area, and the
investigation uncovered a few issues, most of which were fixed almost
as quickly as they were uncovered.
And although many were not (in my opinion) necessarily important
security concerns (such as, say, Ion format module throwing NPEs on
invalid content), practically all were things that were good to be
fixed (to report invalid content with actual meaningful declared
exception type, for example).
I also think it is great to have external validation/verification of
security aspects: due to the size and complexity of Jackson codebase,
authors are not always best at identifying problem areas. So it is
invaluable having extra pairs of eyes & new toolsets to drill into
potential problem areas.
Anyway, I thought that since this will probably do circles around OSS
software security circles, it's good to share ASAP.
-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages