
Hi Dieter, thats what I am tried to explain, maybe not clear enough ... As you stated the question of OTRS security is first of all a question of the base system (OS and used applications). After that IMHO you need a formal check of OTRS (perl) implementation. But it seems that nobody has done anything in this direction ,-) regards Christoph Dieter Ringhofer schrieb:
Hi Christoph,
it isn't that easy as you try to handle it.
An application must conform to a decent level of security to be usable per sé. If it offers insufficient security you can do whatever you want - it's quite unusable.
To illustrate it:
Windows with all of it's backdoors is insecure. Therefore it can never be a realiable base for online business. Nevertheless when your application is based on Windows (even an inhouse application!) it is simply insufficient to double check application's internal security. You must do a lot more.
See most trivial MS-Office hack: Install a memory hook and you can forget every internal password security. It's a stupid implementation.
OTOH you can run a secure LAMP system. When you run an insecure application with it whole system becomes insecure.
OTRS is an online application. Therefore it must be secure for itself.
Am 23.12.2009 08:25, schrieb Christoph Ohliger:
Peter,
isn´t that first of all a question to LAMP, modsecurity or whatever you use to implement/protect ? Of course the formal testing requirement of OTRS may remain.
regards Christoph
Peter Sharp schrieb:
In order to put OTRS on the outside of our firewall, or let traffic pass through to the OTRS system, they require it to be secure. Is there any sort of formal testing or security documentation about the security of OTRS 2.4.5 or other versions running on apache? Say security vulnerabilities checked for by a third party security-checking tool?
Thanks,
Peter
peter.sharp@xls.xerox.com mailto:peter.sharp@xls.xerox.com
------------------------------------------------------------------------
--------------------------------------------------------------------- OTRS mailing list: dev - Webpage:http://otrs.org/ Archive:http://lists.otrs.org/pipermail/dev To unsubscribe:http://lists.otrs.org/cgi-bin/listinfo/dev
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/
--------------------------------------------------------------------- OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/