Educause Security Discussion mailing list archives
Re: Assessing SharePoint Security
From: Louis Arminio <Lou.Arminio () NAU EDU>
Date: Thu, 31 May 2012 16:11:38 +0000
Here is a link to a security company that has some free tools for evaluating SharePoint sites. I've seen the search tool demonstrated and used it to evaluate our SharePoint site. http://www.stachliu.com/resources/tools/ Their tool is mostly centered around URL discovery, but they are working on a SharePoint DLP tool as well. Their project is really a comprehensive search tool. It's worth checking out even if you don' t have SharePoint. In addition to incorporating the GHDB started by Johnny Long and maintained by Exploit-DB.com, the company has developed their own search DBs. They use the Google Custom Search API and Bing 2.0 API to automate searches, and provide instructions on how to get accounts and set up access to the APIs. Lou. -- Lou Arminio Senior Information Security Analyst Northern Arizona University Information Technology Services 1300 S Knoles Dr, NAU Box 5100 Flagstaff, Arizona 86011 Lou.Arminio () nau edu Ph:(928) 523-6462 Fax:(928) 523-7407 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Woodruff, Dan Sent: Thursday, May 31, 2012 8:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Assessing SharePoint Security SharePoint is used heavily as a collaboration tool and documentation repository in our environment, and we are trying to determine the best approach to take to assess its security. One activity we would like to perform is to scan document repository content for sensitive data. Since the backend for SharePoint is a database, we'd have to figure out a way to extract the documents to flat files so they could be examined en masse. Are there any tools that will automate the extraction? Other than assessing the application to standards and policies, how are other schools assessing SharePoint? Are you performing any kind of technical assessment such as a penetration test and if so, has it been a valuable (actionable) exercise? I fear performing a web application penetration test of such a dynamic and complex application would be a daunting task with little valuable output. Thank you for any insight, Dan Woodruff University IT Security and Policy University of Rochester
Current thread:
- Assessing SharePoint Security Woodruff, Dan (May 31)
- Re: Assessing SharePoint Security Mayne, Jim (May 31)
- Re: Assessing SharePoint Security Louis Arminio (May 31)
- <Possible follow-ups>
- Re: Assessing SharePoint Security Woodruff, Dan (Jun 01)
- Assessing SharePoint Security Jim Hietala (Jun 01)