Forums de discussion

  1. Accueil
  2. Portal
  3. Last time Liferay was scanned via Veracode

Last time Liferay was scanned via Veracode

thumbnail
Wes Kempa, modifié il y a 8 années.

Last time Liferay was scanned via Veracode

New Member Publications: 24 Date d'inscription: 29/07/08 Publications récentes
Information from http://www.veracode.com/ratings/liferay shows that Liferay has been "VerAfied" Since: 12/9/2013. But what about ongoing versions?

I would have to guess that Liferay runs this on a ongoing basis, but are these methodologies public? If so, I would like to gather these details for a Platinum Level Subscriber who is looking for the following details:

When was the last time Liferay was scanned via Veracode?
What was the Liferay version for the scan? (Servicepack / build nubmer)
What was the Security Quality Score for the scan?
Where can we obtain a copy of the scan results? We understand the disclosure policy, is it possible to obtain a copy minus the existing unpatched vulnerabilities / attack patterns?
Does the "VerAfied" imply no “very high”, “high” or “medium” severity vulnerabilities, nor any OWASP Top 10 or CWE/SANS Top 25 vulnerabilities were discovered in the application?

Any information that you could provide might be helpful at this point, thank you.
thumbnail
Samuel Kong, modifié il y a 8 années.

RE: Last time Liferay was scanned via Veracode

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
But what about ongoing versions?

Liferay Portal's Veracode verification is for Liferay Portal 6.2 EE. Other versions of Liferay Portal has not be verified.


are these methodologies public

Please see http://www.veracode.com/directory/what-it-means


When was the last time Liferay was scanned via Veracode?

We are always constantly scanning the Portal for vulnerabilities.


What was the Security Quality Score for the scan?

There's no score associated with the VerAfied mark. It's a pass, not pass system.


Does the "VerAfied" imply no “very high”, “high” or “medium” severity vulnerabilities, nor any OWASP Top 10 or CWE/SANS Top 25 vulnerabilities were discovered in the application?
From Veracode website:
Applications found to have no “very high”, “high” or “medium” severity vulnerabilities, nor any OWASP Top 10 or CWE/SANS Top 25 vulnerabilities that could be discovered using Veracode’s automated analysis may earn the VerAfied mark.
thumbnail
Wes Kempa, modifié il y a 8 années.

RE: Last time Liferay was scanned via Veracode

New Member Publications: 24 Date d'inscription: 29/07/08 Publications récentes
Thank you Samuel, this is very helpful information.

When you say Liferay Portal's Veracode verification is for Liferay Portal 6.2 EE does that include the newest version Servicepack & build number , 6.2.EE.SP12?

Does Liferay target 100 for the Security Quality Score for the scan? For a client recently, we were getting 99 only because a flash video player was found on the instance in some deep directory.



Once again, your information is very helpful. Thank you.
thumbnail
Samuel Kong, modifié il y a 8 années.

RE: Last time Liferay was scanned via Veracode

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
The verification is for Liferay Portal 6.2 EE and includes the various services packs.

If you think you found a specific issue, please submit a LESA ticket and the support team will help address the issue.