geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor" <jga...@gmail.com>
Subject basic security review
Date Mon, 29 Oct 2007 17:56:48 GMT
A few security problems were discovered in Geronimo in the last few
months and weeks. Most of them were Geronimo-specific except one.
Therefore, I think we should spend a little bit of our time to review
our code and check for potential security problems.
As the first step, I think we should identify components that make
security decisions (e.g. LoginModules) or enable access to server
management and control (e.g. MEJB) or any other components that might
be important for sever security.
Once we have a few components identified we can start the review.
Besides finding and fixing the potential security problems during the
review we must also ensure that we have decent tests for these
components that cover a range of inputs. For each problem that we do
discover, we must write a test case to make sure it never happens
again. Basically, a problem is not fully addressed until we have a
test for it.

For now, I created the following page where we can keep track of the
components and the review:
http://cwiki.apache.org/confluence/display/GMOxDEV/Security+Review
Feel free to update it in any way.

Opinions? Ideas? Thoughts?

Jarek

Mime
View raw message