geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: basic security review
Date Wed, 31 Oct 2007 07:09:16 GMT
Thanks Jarek and Prasad for getting the ball rolling.

++Vamsi

On 10/30/07, Prasad Kashyap <goyathlay.geronimo@gmail.com> wrote:
>
> I agree. Our strategy to make Geronimo secure should include an
> elaborate set of unit testcases, a rich set of tests in the
> security-testsuite in our testsuite framework,  along with  peer
> review of code in components that are potential security risks.
>
> We should aim to have imbricate or maybe even duplicate tests than have
> gaps.
>
> Towards this end, I created a security-testsuite in our testsuite
> framework. It contains one test now. I shall add some more soon.
> Please contribute to this testsuite with more and more tests that you
> can think of.
>
> Thanx
> Prasad
>
> On 10/29/07, Jarek Gawor <jgawor@gmail.com> wrote:
> > A few security problems were discovered in Geronimo in the last few
> > months and weeks. Most of them were Geronimo-specific except one.
> > Therefore, I think we should spend a little bit of our time to review
> > our code and check for potential security problems.
> > As the first step, I think we should identify components that make
> > security decisions (e.g. LoginModules) or enable access to server
> > management and control (e.g. MEJB) or any other components that might
> > be important for sever security.
> > Once we have a few components identified we can start the review.
> > Besides finding and fixing the potential security problems during the
> > review we must also ensure that we have decent tests for these
> > components that cover a range of inputs. For each problem that we do
> > discover, we must write a test case to make sure it never happens
> > again. Basically, a problem is not fully addressed until we have a
> > test for it.
> >
> > For now, I created the following page where we can keep track of the
> > components and the review:
> > http://cwiki.apache.org/confluence/display/GMOxDEV/Security+Review
> > Feel free to update it in any way.
> >
> > Opinions? Ideas? Thoughts?
> >
> > Jarek
> >
>

Mime
View raw message