tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Osipov <ossi...@inf.fu-berlin.de>
Subject Assuring Security by testing
Date Wed, 30 Apr 2008 10:33:16 GMT
Hi devs,

I've been investigating Apache Tomcat within my Bachelor's thesis
"Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
tools

Apache Tomcat is a extremely popular servlet engine. The nature of the
application offers to compromise the web apps and reveal sensitive data.
It does not seem that Tomcat cannot be tested the classic way web apps
are, e.g. testing with fuzzer for SQL injection, parameter tampering,
path traversal etc.

So far, I have search the repository and the ant build.xml, the homepage
and the mailing list.The homepage and mailing list revealed no
information at all to me.

I did find that you refer to security audit conducted against the 5.0
codebase [2]. Unfortunately, no information was given what was found and
what measures have been taken afterwards.

Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?

Thanks in advance,

Michael

[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
[2] http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
[3] http://tomcat.apache.org/security-6.html
-- 
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message