{"id":19209,"date":"2016-04-06T21:27:17","date_gmt":"2016-04-06T19:27:17","guid":{"rendered":"https:\/\/owncloud.com\/?p=19209"},"modified":"2020-09-30T08:44:42","modified_gmt":"2020-09-30T08:44:42","slug":"blog-owncloud-releases-static-security-scan-results","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/blog-owncloud-releases-static-security-scan-results\/","title":{"rendered":"ownCloud Releases Static Security Scan Results"},"content":{"rendered":"

As an open source company we value our strong commitment to transparency and the importance of community. Only transparent and open processes allow customers and users to verify the security of their ownCloud.<\/p>\n

A Proven Track Record of Open Source Security<\/h2>\n

ownCloud has a proven track record of open source security. We, for example,\u00a0publish detailed security advisories<\/a>\u00a0and regularly find security vulnerabilities within widely deployed third-party components.<\/p>\n

While\u00a0nearly all critical issues are discovered internally<\/a>, we realize that no software can be completely secure and that more eyes can help to make our software even more secure.<\/p>\n

Because of this, we\u2019re running a\u00a0public and transparent bug bounty program<\/a>, making it possible to reward security researchers that find security issues within ownCloud server. In fact, our bounty program is even featured in\u00a0a recent Case Study of HackerOne<\/a>\u00a0and\u00a0has been quoted as \u201cthe benchmark for a well-executed, successful HackerOne launch.\u201d<\/a><\/p>\n

Besides relying on internal and external security expertise, we\u2019re also augmenting our security processes using several automated and semi-automated sources. One of them being the\u00a0Veracode Static Source Code Analyzer<\/a>. Considering our strong open source history, we are publishing the latest scan result for ownCloud Server today.<\/p>\n

What is a Static Source Code Analyzer?<\/h2>\n

A static source code analyzer takes the source code of a program and tries to find bugs in it. The one from Veracode is focused on finding security vulnerabilities.<\/p>\n

It does this by looking at possible known vulnerable functions (so called \u201csinks\u201d) and compares whether they have been tainted with user controllable input. Consider the following very simple example:<\/p>\n

    \n
  1. <?php<\/li>\n
  2. <\/li>\n
  3. $var\u00a0=\u00a0$_GET[\u2018id\u2019];<\/li>\n
  4. echo\u00a0sprintf(\u201cYou\u00a0ordered\u00a0%s\u201d,\u00a0$var);<\/li>\n<\/ol>\n

    In this case the analyzer would realize that $var is reading the value from $_GET[\u2018id\u2019] which is user-controlled input and then would print the data directly to the user. Leading to a typical\u00a0Cross-Site Scripting vulnerability (CWE-79)<\/a>.<\/p>\n

    Side remark: ownCloud uses a strict Content-Security-Policy to mitigate Cross-Site Scripting vulnerabilities. So if you\u2019re using ownCloud as well as a modern browser you\u2019re likely protected against any potential XSS vulnerability.<\/em><\/p>\n

    While static source code analyzers do not provide 100% security, we consider them a good addition to our other existing security processes. Only with the combined help of automated tools and strong internal and external security knowledge can a secure solution can be guaranteed.<\/p>\n

    Please visit our dedicated\u00a0Security page<\/a>\u00a0to\u00a0download the scan results<\/a>\u00a0and gain greater detail about ownCloud\u2019s commitment to security.<\/p>\n","protected":false},"excerpt":{"rendered":"

    As an open source company we value our strong commitment to transparency and the importance of community. Only transparent and open processes allow customers and users to verify the security of their ownCloud. A Proven Track Record of Open Source Security ownCloud has a proven track record of open source security. We, for example,\u00a0publish detailed […]<\/p>\n","protected":false},"author":7,"featured_media":78665,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[48],"tags":[220],"class_list":["post-19209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/19209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=19209"}],"version-history":[{"count":0,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/19209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=19209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=19209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=19209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}