geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Kashyap" <goyathlay.geron...@gmail.com>
Subject Re: basic security review
Date Tue, 30 Oct 2007 15:39:26 GMT
I agree. Our strategy to make Geronimo secure should include an
elaborate set of unit testcases, a rich set of tests in the
security-testsuite in our testsuite framework,  along with  peer
review of code in components that are potential security risks.

We should aim to have imbricate or maybe even duplicate tests than have gaps.

Towards this end, I created a security-testsuite in our testsuite
framework. It contains one test now. I shall add some more soon.
Please contribute to this testsuite with more and more tests that you
can think of.

Thanx
Prasad

On 10/29/07, Jarek Gawor <jgawor@gmail.com> wrote:
> A few security problems were discovered in Geronimo in the last few
> months and weeks. Most of them were Geronimo-specific except one.
> Therefore, I think we should spend a little bit of our time to review
> our code and check for potential security problems.
> As the first step, I think we should identify components that make
> security decisions (e.g. LoginModules) or enable access to server
> management and control (e.g. MEJB) or any other components that might
> be important for sever security.
> Once we have a few components identified we can start the review.
> Besides finding and fixing the potential security problems during the
> review we must also ensure that we have decent tests for these
> components that cover a range of inputs. For each problem that we do
> discover, we must write a test case to make sure it never happens
> again. Basically, a problem is not fully addressed until we have a
> test for it.
>
> For now, I created the following page where we can keep track of the
> components and the review:
> http://cwiki.apache.org/confluence/display/GMOxDEV/Security+Review
> Feel free to update it in any way.
>
> Opinions? Ideas? Thoughts?
>
> Jarek
>

Mime
View raw message