tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 11:06:44 GMT
Michael Osipov wrote:
> Security advisories are taken up by a security team [3]. Does this team
> or any other group/person take any measures to assure security with
> testing tools,
> with a special test plan or functional requirements?

We do occasionally receive reports to the security team that provide 
outputs from various security testing tools. In short, the output is nearly 
always complete garbage. For example, on one occasion a handful of XSS 
issues were reported all of which were invalid whilst valid XSS issues 
(later reported by others) were completely missed.

I have yet to see an automated security test tool that offers any useful 
output against the Tomcat code base.

If you want to test a security audit tool then you can run it against an 
old 4.1.x, 5.5.x or 6.0.x tag and see if it identifies any of the the 
issues listed on the security pages.

The majority of our security reports come:
- from security researches who review, for whatever reason, parts of the 
code they believe to be vulnerable to attack
- users that discover a security issue through normal use

We also review every issue to see if there may be other places in the 
codebase that are affected that the reporter did not mention. For example 
we had a couple of XSS in the examples and when we looked at the rest of 
the examples code we found a few more.

Every commit is reviewed by three committers before it is applied. Security 
  is one of the considerations when reviewing a patch.

Getting off topic a little, where I think automated tools do have something 
to offer is in the area of finding bugs. Checking for unused variables etc 
often highlights (usually minor) bugs. Find bugs, PMD, checkstyle, the 
stuff built in to Eclipse all have something to offer in this area.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message