gefjon
commented
1 year ago I am not aware of anyone having done a vulnerability report on Hunchentoot. I'm not even sure what a vulnerability report means in this context, honestly.
Open gassechen opened 1 year ago
gefjon
commented
1 year ago I am not aware of anyone having done a vulnerability report on Hunchentoot. I'm not even sure what a vulnerability report means in this context, honestly.
mdbergmann
commented
1 year ago I think hunchentoot is to plain just a HTTP server to have much of vulnerabilities. Many vulnerabilities come from applications on top of HTTP. Like Cross Site Scripting issues, SNI issues, etc.
hanshuebner
commented
1 year ago @gassechen No entity is providing a vulnerability report for Hunchentoot. The software is community maintained, and there are no formal security reporting and fix channels in place. If ISO/IEC 12207:2008 compliance is required by your organization, you need to prepare yourself to have the required audits be performed by an appropriate third party.
Sadly, the non-functional and non-technical requirements that are imposed by security related compliance frameworks and standards make using niche languages and ecosystems in organizations that use such frameworks difficult. If your project is important enough, you may be able to discuss with your security department what precisely is required by them. Be prepared to provide them with a good description of your project and with a risk assessment that you did on your own. Depending on their workload and their flexibility, they may be willing and able to accommodate you, even though you are not able being back yourself with what would be available with more popular language environments.
gassechen
commented
1 year ago I understand. Thanks, I'm going to use this software https://www.zaproxy.org/ and a bash script to automate the scanning and detection of vulnerabilities and I hope it's enough for the security department, so I can continue using common lisp
gassechen
commented
1 year ago gassechen
commented
1 year ago mdbergmann
commented
1 year ago Response headers can be added as needed. There are tons that PEN testers might suggest to add to prevent some form of attack or exploitation. But this also happens on state-of-the-art Java or other HTTP servers. They don't by default add all the response headers.
gassechen
commented
1 year ago Thank you. These are the results that this software gave me. Should I make an application in hunchentoot with the GET POST PUT and DELETE verbs to check for more vulnerability suggestions? See how I add the headers in hunchentoot?
gassechen
commented
1 year ago (defparameter *csp-header* "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'")
(easy-routes:defroute main ("/" :method :get) ()
(let ((html (page-root)))
;Generar el HTML utilizando la función table-list*
(setf (hunchentoot:content-type*) "text/html")
(setf (hunchentoot:header-out "Content-Security-Policy") *csp-header*)
(format nil "~a" html)))all CSP
Hello. A query. I am developing a software in common lisp, with hunchetoot. To be able to pass it on to production, they asked me what the vulnerability report is. Where can I find that report? The company works with the ISO/IEC 12207:2008 standard. So the auditors of the norm are the ones who ask for these things. I got the project accepted in common lisp, overcoming the preferences on c#, java and python that the company has. And what they asked me has me a bit baffled, I don't want to have to do it in c# or python because I don't have that information. I thank all of you in advance for helping newbies develop in common lisp.