- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: Security Questions
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2018 12:05 AM
тАО12-11-2018 12:05 AM
Security Questions
As part of pen testing the following came back, is it possible to address these in OneView?
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2018 10:04 PM
тАО12-13-2018 10:04 PM
Re: Security Questions
Hi @jp24
Are you finding these with OneView 4.00 or 4.10?
The specific issue below you have stated:
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
This defect has been fixed in a more recent version of OneView yet to be released.
On the below:
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
Did this come back as a violation in the pen-test result?
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-17-2019 04:09 AM
тАО01-17-2019 04:09 AM
Re: Security Questions
Hi Bhaskar,
Thank you for the reponse. These were related to version 4.10 of the Appliance.
Username Enumeration - Are you able to advise which version this may be?
Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings, the calissifcation by the client may/see see it differently and prevent rollout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-31-2019 10:43 PM
тАО01-31-2019 10:43 PM
Re: Security Questions
Hi @jp24
The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.
On the request headers that are flagged as a violation by OWASP, can you share any details on that?
Regards.
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2019 06:00 AM
тАО02-05-2019 06:00 AM
Re: Security Questions
Redacted Feedback
Recommendation
It is strongly recommended recommend that the following security response headers are implemented in their highlighted
configuration:
яВ╖ X-XSS-Protection: 1; mode=block
яВ╖ Strict-Transport-Security: max-age=31536000; includeSubDomains
яВ╖ X-Content-Type-Options: nosniff
яВ╖ X-Frame-Options: deny
яВ╖ Cache-control: no store
яВ╖ Pragma: no-cache
References & Resources
яВ╖ https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
яВ╖ https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2019 08:43 PM
тАО02-05-2019 08:43 PM
Re: Security Questions
Thanks @jp24 for sharing these.
Will check and respond.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-15-2019 05:37 AM
тАО02-15-2019 05:37 AM
Re: Security Questions
Hi @jp24
Sorry about the delay.
The below headers are addressed in an upcoming release.
яВ╖ X-XSS-Protection: 1; mode=block
яВ╖ X-Content-Type-Options: nosniff
яВ╖ X-Frame-Options: deny
яВ╖ Pragma: no-cache
We are evaluating the below two still and we'll take them up approriately.
яВ╖ Cache-control: no store
яВ╖ Strict-Transport-Security: max-age=31536000; includeSubDomains
Thank you.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2019 02:36 AM
тАО03-06-2019 02:36 AM
Re: Security Questions
Thank you for the update.