Shinyproxy: OWASP/Security Checks

Created on 9 Sep 2020  ·  3Comments  ·  Source: openanalytics/shinyproxy

Hi there, an enterprise client is asking about an OWASP check for ShinyProxy - is there any detail you can give on checks you do or vulnerabilities that have been found and addressed?

question
Source
picture benkates

Most helpful comment

Thanks, we implemented the following and got no major risks from the pen test results:

server:
  frameOptions: SAMEORIGIN
  servlet:
    session:
      cookie:
        http-only: true
        secure: true
picture benkates on 20 Oct 2020
👍2

All 3 comments

Hi @benkates Some customers went through pentesting and formal audits of their ShinyProxy infrastructure. We have worked with them to include minor changes to make the software OWASP proof. In the release notes of version 2.3.1 you will notice a lot of small security enhancements that originate in this exercise: https://shinyproxy.io/downloads/

Hope this helps!

Best,
Tobias

tverbeke picture tverbeke on 11 Sep 2020
👍2

Thanks, we implemented the following and got no major risks from the pen test results:

server:
  frameOptions: SAMEORIGIN
  servlet:
    session:
      cookie:
        http-only: true
        secure: true
benkates picture benkates on 20 Oct 2020
👍2

Hi @benkates

We are now also using OWASP Dependency Check to make sure we use no dependencies with known vulnerabilities.
More information can be found on our website https://shinyproxy.io/documentation/security/#secure-dependencies

The next major release of ShinyProxy will update the Keycloak and Docker dependencies to the latest version.

LEDfan picture LEDfan on 21 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Emelieh21 picture Emelieh21  ·  5Comments
thomas-chauvet picture thomas-chauvet  ·  5Comments
shrektan picture shrektan  ·  9Comments
lucius-verus-fan picture lucius-verus-fan  ·  8Comments
jat255 picture jat255  ·  3Comments