Mark Thomas wrote:
> Michael Osipov wrote:
>> Security advisories are taken up by a security team [3]. Does this team
>> or any other group/person take any measures to assure security with
>> testing tools,
>> with a special test plan or functional requirements?
Hello Mark,
I did not expect such a quick and long answer. Thanks first of all!
> We do occasionally receive reports to the security team that provide
> outputs from various security testing tools. In short, the output is
> nearly always complete garbage. For example, on one occasion a handful
> of XSS issues were reported all of which were invalid whilst valid XSS
> issues (later reported by others) were completely missed.
Were you reported the name of the tools with which the garbage out has
been produced?
> I have yet to see an automated security test tool that offers any useful
> output against the Tomcat code base.
I am investigating some tools too but their are still evolving.
> If you want to test a security audit tool then you can run it against an
> old 4.1.x, 5.5.x or 6.0.x tag and see if it identifies any of the the
> issues listed on the security pages.
Yes, that's probably what I can do but I am just a developer using
tomcat as a servlet engine. I guess, due to tomcats complexity it'd take
some time to understand how to run an attack at all.
> The majority of our security reports come:
> - from security researches who review, for whatever reason, parts of the
> code they believe to be vulnerable to attack
> - users that discover a security issue through normal use
>
> We also review every issue to see if there may be other places in the
> codebase that are affected that the reporter did not mention. For
> example we had a couple of XSS in the examples and when we looked at the
> rest of the examples code we found a few more.
>
> Every commit is reviewed by three committers before it is applied.
> Security is one of the considerations when reviewing a patch.
>
> Getting off topic a little, where I think automated tools do have
> something to offer is in the area of finding bugs. Checking for unused
> variables etc often highlights (usually minor) bugs. Find bugs, PMD,
> checkstyle, the stuff built in to Eclipse all have something to offer in
> this area.
I am aware of all the tools you cited, but they don't do necessarily
security testing (e.g. checkstyle). Did you ever come across LAPSE [1]?
I have investigated some tools, maybe they are in your interest to some
extent. Check this article [2] on different tools, nikto [3], and Wfuzz [4].
Thanks again. I have to process you answers first before I proceed
asking if you don't mind being asked.
Mike
[1] http://suif.stanford.edu/~livshits/work/lapse/
[2]
http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
[3] http://www.cirt.net/nikto2
[4] http://www.edge-security.com/wfuzz.php
--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
|