tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 12:27:10 GMT
Michael Osipov wrote:
> Mark Thomas wrote:
>> We do occasionally receive reports to the security team that provide 
>> outputs from various security testing tools. In short, the output is 
>> nearly always complete garbage. For example, on one occasion a handful 
>> of XSS issues were reported all of which were invalid whilst valid XSS 
>> issues (later reported by others) were completely missed.
> Were you reported the name of the tools with which the garbage out has 
> been produced?
Yes we were, but I am not prepared to name the tools.

>> Getting off topic a little, where I think automated tools do have 
>> something to offer is in the area of finding bugs. Checking for unused 
>> variables etc often highlights (usually minor) bugs. Find bugs, PMD, 
>> checkstyle, the stuff built in to Eclipse all have something to offer 
>> in this area.
> I am aware of all the tools you cited, but they don't do necessarily 
> security testing (e.g. checkstyle). Did you ever come across LAPSE [1]?
> I have investigated some tools, maybe they are in your interest to some 
> extent. Check this article [2] on different tools, nikto [3], and Wfuzz 
> [4].
As I said, automated tools for finding general bugs can work. I haven't 
(and wouldn't) used them to find security issues.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message