https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7028500#M3634 <P>Hi&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1942556">@jp24</a></P><P>Are you finding these with OneView 4.00 or 4.10?<BR />The specific issue below you have stated:<BR /><SPAN>Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users<BR />This defect has been fixed in a more recent version of OneView yet to be released.<BR /><BR />On the below:<BR />Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project<BR />Did this come back as a violation in the pen-test result?<BR /><BR />Regards,<BR />Bhaskar<BR /><BR /></SPAN></P><P>&nbsp;</P> Fri, 14 Dec 2018 06:04:57 GMT BhaskarV 2018-12-14T06:04:57Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7028152#M3616 <P>As part of pen testing the following came back, is it possible to address these in OneView?</P><P>Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users</P><P>Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project</P> Tue, 11 Dec 2018 08:05:51 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7028152#M3616 jp24 2018-12-11T08:05:51Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7028500#M3634 <P>Hi&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1942556">@jp24</a></P><P>Are you finding these with OneView 4.00 or 4.10?<BR />The specific issue below you have stated:<BR /><SPAN>Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users<BR />This defect has been fixed in a more recent version of OneView yet to be released.<BR /><BR />On the below:<BR />Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project<BR />Did this come back as a violation in the pen-test result?<BR /><BR />Regards,<BR />Bhaskar<BR /><BR /></SPAN></P><P>&nbsp;</P> Fri, 14 Dec 2018 06:04:57 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7028500#M3634 BhaskarV 2018-12-14T06:04:57Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7031515#M3759 <P>Hi Bhaskar,</P><P>Thank you for the reponse. These were related to version 4.10 of the Appliance.</P><P><SPAN>Username Enumeration - Are you able to advise which version this may be?</SPAN></P><P><SPAN>Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings,&nbsp; the calissifcation by the client may/see see it differently and prevent rollout.</SPAN></P> Thu, 17 Jan 2019 12:09:12 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7031515#M3759 jp24 2019-01-17T12:09:12Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033189#M3828 <P>Hi&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1942556">@jp24</a></P><P>The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.</P><P>On the request headers that are flagged as a violation by OWASP,&nbsp; can you share any details on that?</P><P>Regards.<BR />Bhaskar</P> Fri, 01 Feb 2019 06:43:30 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033189#M3828 BhaskarV 2019-02-01T06:43:30Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033651#M3866 <P>Redacted Feedback&nbsp;</P><P>Recommendation<BR />It is strongly recommended recommend that the following security response headers are implemented in their highlighted<BR />configuration:<BR /> X-XSS-Protection: 1; mode=block<BR /> Strict-Transport-Security: max-age=31536000; includeSubDomains<BR /> X-Content-Type-Options: nosniff<BR /> X-Frame-Options: deny<BR /> Cache-control: no store<BR /> Pragma: no-cache</P><P><BR />References &amp; Resources<BR /> <A href="https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers" target="_blank">https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers</A><BR /> <A href="https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006" target="_blank">https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006</A>)</P> Tue, 05 Feb 2019 14:00:28 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033651#M3866 jp24 2019-02-05T14:00:28Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033720#M3872 <P>Thanks&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1942556">@jp24</a>&nbsp; for sharing these.<BR />Will check and respond.</P> Wed, 06 Feb 2019 04:43:40 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7033720#M3872 BhaskarV 2019-02-06T04:43:40Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7034888#M3916 <P>Hi&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1942556">@jp24</a>&nbsp;</P><P>Sorry about the delay.<BR />The below headers are addressed in an upcoming release.<BR /><BR /><SPAN> X-XSS-Protection: 1; mode=block</SPAN><BR /><SPAN> X-Content-Type-Options: nosniff</SPAN><BR /><SPAN> X-Frame-Options: deny</SPAN><BR /><SPAN> Pragma: no-cache<BR /><BR /></SPAN>We are evaluating the below two still and we'll take them up approriately.<BR /> Cache-control: no store<BR /> Strict-Transport-Security: max-age=31536000; includeSubDomains<BR /><BR />Thank you.<BR /><BR />Regards,<BR />Bhaskar</P><P>&nbsp;</P> Fri, 15 Feb 2019 13:37:57 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7034888#M3916 BhaskarV 2019-02-15T13:37:57Z https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7037269#M3978 <P>Thank you for the update.</P> Wed, 06 Mar 2019 10:36:43 GMT https://community.hpe.com/t5/hpe-oneview/security-questions/m-p/7037269#M3978 jp24 2019-03-06T10:36:43Z