tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 13:42:53 GMT
Jim Manico wrote:
> The Fortify Opensource project automatically scans the Tomcat codebase 
> on a regular basis.
> This probably only gives you 10% security coverage at best, but it's a 
> free report form a $50k tool.

A great example of why I have don't have much faith (hope for the future 
yes - faith for the current crop no) in these tools. In summary:
- they are looking at 4.1.10, 5.5.20 and 6.?
- I don't know which TC6 version they analysed (but I suspect it is quite 
old) since they never responded to my requests to add me to that project 
and I lost interest
- there are so many false positives I got fed up looking at them
- the bug reporting is way to clunky compared to just using Eclipse or any 
other decent IDE
- it missed most (all if I recall correctly - I don't have the time or 
inclination to check) of the XSS issues we know were in 4.1.10 onwards

I maintain that you will get greater benefit for time invested just by 
clearing the issues flagged by a decent IDE.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message