Hi, we have just analized the 'Telerik.Web.UI' source code we the commercial tool owned by our final costumer: Parasoft DotTEST 9.3.
We carriedout a Security Check of the source code as recommended OWAS TOP 10, the result has been discouraging, we found nearly 500 violations serious (level 1):
This situation could cause rejection by the customer of your product (Rad Control for asp.net Ajax).
I'm sure you've already dealt with similar situations, we are sure Telerik has a justification for this behavior that reassures our customer on the quality of your product.
Please tell us how solve this problem.
Could you notify me a email address where send the detailed violations report?
Thank you in advance,
Federico
We carriedout a Security Check of the source code as recommended OWAS TOP 10, the result has been discouraging, we found nearly 500 violations serious (level 1):
[494] Security (BD.SECURITY) |
[438] Prevent exposure of sensitive data (BD.SECURITY.SENS-1) |
[10] Protect against file name injection (BD.SECURITY.TDFNAMES-1) |
[8] Protect against network resource injection (BD.SECURITY.TDNET-1) |
[2] Protect against HTTP response splitting (BD.SECURITY.TDRESP-1) |
[36] Protect against XSS vulnerabilities (BD.SECURITY.TDXSS-1) |
[1] Security inspection (CS.SEC) |
[1] Use SecureString instead of String for password (CS.SEC.SSFP-2) |
[28] Security Inspection (License Required) (SEC) |
[28] Always cleanup before an exception filtering method is invoked (SEC.ACWFB-3) |
This situation could cause rejection by the customer of your product (Rad Control for asp.net Ajax).
I'm sure you've already dealt with similar situations, we are sure Telerik has a justification for this behavior that reassures our customer on the quality of your product.
Please tell us how solve this problem.
Could you notify me a email address where send the detailed violations report?
Thank you in advance,
Federico