tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 13:15:31 GMT
The Fortify Opensource project automatically scans the Tomcat codebase 
on a regular basis.

This probably only gives you 10% security coverage at best, but it's a 
free report form a $50k tool.

http://opensource.fortifysoftware.com
> Hi devs,
>
> I've been investigating Apache Tomcat within my Bachelor's thesis
> "Application
> of security test tools in open source" at the Free University of Berlin
> (FU Berlin) [1].
> Basically, I am looking for security measures which have been taken to
> prevent security leaks/vulnerabilities especially with security test
> tools
>
> Apache Tomcat is a extremely popular servlet engine. The nature of the
> application offers to compromise the web apps and reveal sensitive data.
> It does not seem that Tomcat cannot be tested the classic way web apps
> are, e.g. testing with fuzzer for SQL injection, parameter tampering,
> path traversal etc.
>
> So far, I have search the repository and the ant build.xml, the homepage
> and the mailing list.The homepage and mailing list revealed no
> information at all to me.
>
> I did find that you refer to security audit conducted against the 5.0
> codebase [2]. Unfortunately, no information was given what was found and
> what measures have been taken afterwards.
>
> Security advisories are taken up by a security team [3]. Does this team
> or any other group/person take any measures to assure security with
> testing tools,
> with a special test plan or functional requirements?
>
> Thanks in advance,
>
> Michael
>
> [1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
> [2] http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
> [3] http://tomcat.apache.org/security-6.html


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message