tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 13:15:31 GMT
The Fortify Opensource project automatically scans the Tomcat codebase 
on a regular basis.

This probably only gives you 10% security coverage at best, but it's a 
free report form a $50k tool.
> Hi devs,
> I've been investigating Apache Tomcat within my Bachelor's thesis
> "Application
> of security test tools in open source" at the Free University of Berlin
> (FU Berlin) [1].
> Basically, I am looking for security measures which have been taken to
> prevent security leaks/vulnerabilities especially with security test
> tools
> Apache Tomcat is a extremely popular servlet engine. The nature of the
> application offers to compromise the web apps and reveal sensitive data.
> It does not seem that Tomcat cannot be tested the classic way web apps
> are, e.g. testing with fuzzer for SQL injection, parameter tampering,
> path traversal etc.
> So far, I have search the repository and the ant build.xml, the homepage
> and the mailing list.The homepage and mailing list revealed no
> information at all to me.
> I did find that you refer to security audit conducted against the 5.0
> codebase [2]. Unfortunately, no information was given what was found and
> what measures have been taken afterwards.
> Security advisories are taken up by a security team [3]. Does this team
> or any other group/person take any measures to assure security with
> testing tools,
> with a special test plan or functional requirements?
> Thanks in advance,
> Michael
> [1]
> [2]
> [3]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message