On Friday, April 13, 2018 at 8:38:51 AM UTC-5, Jason Turner wrote: > > Hi Alex, > > Thanks for the rapid feedback. Before anything else I should say that we > loved Clojure before using it at work, and we're even more in love now we > are using it at work - a huge thankyou to the core team and Rich, and a > great community. > > Yes - I did see your previous comment but as was a long time back and I > had a broader context seemed useful to use a new post. I understand your > point - making changes to avoid false positives is frustrating at best. At > this point in time we are analysing to first see to what extent we can > 'fix' these, and then what the picture looks like once they are 'fixed' > (given that on top of these issues there will obviously be both false and > real positives (presumably) in our own codebase (currently just a small > prototype system); so if we find any real issues we will definitely feed > back to you thanks. I think that we will anyway report back to you our > findings on the core false positives - I understand you may not pick them > up but seems a good source of info. > > Wrt the context - you are right there are several banks using Clojure - I > have reached out a bit to get advice or experience, but so far not been > able to find anyone who has had to do this and been successful. I think a > key factor is that many banks operate (not without justification) quite > different policies wrt their own home-build projects and services and > products which they license from third party vendors; so I suspect that the > majority of use is for in house work - e.g. Capital One, Nubank. > > Anyhow I agree this isn't an issue for everyone - ironically and very > frustratingly we are convinced that Clojure is actually facilitating > security over e.g. Java in many many ways. > > For us the real challenge is to find a cost effective (fairly) objective > scalable means of evidencing to our customers that the product has a robust > security design: we are smallish and have a large customer base of large > customers. Sorry to bother you with various questions around this - but > wondering if you may have the experience or contacts to highlight some > alternative avenue: > > - We are currently using HP Fortify which is not a bad product, but > there are others such as Veracode. To my knowledge they are all broadly > similar and none of them are currently providing anything Clojure friendly > - but would you know of something more Clojure friendly? > > Sorry, I'm not aware of any better alternative.
> > - Our current approach is based around this route of using known > objective analysis - for all its shortcomings (it is painful enough in > Java). We are just now pondering to what extent we could solidly > demonstrate on a more 'hammock based' approach i.e. list out long list of > vulnerability categories and cite the design and implementation approaches > which mitigate or prevent. This is in itself useful and an extension of > what we anyway do - but customer wise it is obviously not really > 'objective'. A way to make it more strongly objective would be to use a > third party - that may however be costly. > - Similarly we are wondering to what extent we could expand the work > we do in terms of ethical hacking / penetration testing - perhaps we could > raise the bar there in terms of automation. > > You might want to talk to Aaron Bedra about some of this - he does security consulting and is deeply knowledgeable about Clojure systems as well (and spurred a lot of changes in the Clojure web frameworks to default to better security). > > Thanks a gain for your time. > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
