Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 41647 invoked from network); 30 Apr 2008 11:26:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Apr 2008 11:26:30 -0000 Received: (qmail 274 invoked by uid 500); 30 Apr 2008 11:26:28 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 211 invoked by uid 500); 30 Apr 2008 11:26:28 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 193 invoked by uid 99); 30 Apr 2008 11:26:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Apr 2008 04:26:28 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [160.45.40.10] (HELO mail.math.fu-berlin.de) (160.45.40.10) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Apr 2008 11:25:40 +0000 Received: (qmail 7148 invoked from network); 30 Apr 2008 13:25:53 +0200 Received: from lusin.mi.fu-berlin.de (HELO mi.fu-berlin.de) (160.45.117.141) by leibniz.math.fu-berlin.de with SMTP; 30 Apr 2008 13:25:53 +0200 Received: (qmail 29054 invoked by uid 9804); 30 Apr 2008 13:25:53 +0200 Received: from localhost (HELO mi.fu-berlin.de) (127.0.0.1) by localhost with SMTP; 30 Apr 2008 13:25:51 +0200 Received: (qmail 29044 invoked by uid 9804); 30 Apr 2008 13:25:51 +0200 Received: from leibniz.math.fu-berlin.de (HELO math.fu-berlin.de) (160.45.40.10) by lusin.mi.fu-berlin.de with SMTP; 30 Apr 2008 13:25:51 +0200 Received: (qmail 7121 invoked from network); 30 Apr 2008 13:25:51 +0200 Received: from argon.mi.fu-berlin.de (HELO mail.mi.fu-berlin.de) (160.45.117.144) by leibniz.math.fu-berlin.de with (AES256-SHA encrypted) SMTP; 30 Apr 2008 11:25:51 -0000 Received: from p5b25d354.dip.t-dialin.net ([91.37.211.84] helo=[127.0.0.1]) by mail.mi.fu-berlin.de with esmtpsa (Exim 4.63 #1 (Debian)) id 1JrARa-0003hW-Ma for ; Wed, 30 Apr 2008 13:25:50 +0200 Message-ID: <48185739.3050104@inf.fu-berlin.de> Date: Wed, 30 Apr 2008 13:25:45 +0200 From: Michael Osipov User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) X-Envelope-Sender: ossipov@inf.fu-berlin.de X-Virus-Scanned: by AMaViS 0.3.12pre7-L41+ClamAV[29047](NAI-uvscan@mi.fu-berlin.de) X-Remote-IP: 160.45.117.144 MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Assuring Security by testing References: <48184AEC.3010805@inf.fu-berlin.de> <481852C4.6030502@apache.org> In-Reply-To: <481852C4.6030502@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Remote-IP: 91.37.211.84 X-Virus-Checked: Checked by ClamAV on apache.org Mark Thomas wrote: > Michael Osipov wrote: >> Security advisories are taken up by a security team [3]. Does this team >> or any other group/person take any measures to assure security with >> testing tools, >> with a special test plan or functional requirements? Hello Mark, I did not expect such a quick and long answer. Thanks first of all! > We do occasionally receive reports to the security team that provide > outputs from various security testing tools. In short, the output is > nearly always complete garbage. For example, on one occasion a handful > of XSS issues were reported all of which were invalid whilst valid XSS > issues (later reported by others) were completely missed. Were you reported the name of the tools with which the garbage out has been produced? > I have yet to see an automated security test tool that offers any useful > output against the Tomcat code base. I am investigating some tools too but their are still evolving. > If you want to test a security audit tool then you can run it against an > old 4.1.x, 5.5.x or 6.0.x tag and see if it identifies any of the the > issues listed on the security pages. Yes, that's probably what I can do but I am just a developer using tomcat as a servlet engine. I guess, due to tomcats complexity it'd take some time to understand how to run an attack at all. > The majority of our security reports come: > - from security researches who review, for whatever reason, parts of the > code they believe to be vulnerable to attack > - users that discover a security issue through normal use > > We also review every issue to see if there may be other places in the > codebase that are affected that the reporter did not mention. For > example we had a couple of XSS in the examples and when we looked at the > rest of the examples code we found a few more. > > Every commit is reviewed by three committers before it is applied. > Security is one of the considerations when reviewing a patch. > > Getting off topic a little, where I think automated tools do have > something to offer is in the area of finding bugs. Checking for unused > variables etc often highlights (usually minor) bugs. Find bugs, PMD, > checkstyle, the stuff built in to Eclipse all have something to offer in > this area. I am aware of all the tools you cited, but they don't do necessarily security testing (e.g. checkstyle). Did you ever come across LAPSE [1]? I have investigated some tools, maybe they are in your interest to some extent. Check this article [2] on different tools, nikto [3], and Wfuzz [4]. Thanks again. I have to process you answers first before I proceed asking if you don't mind being asked. Mike [1] http://suif.stanford.edu/~livshits/work/lapse/ [2] http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/ [3] http://www.cirt.net/nikto2 [4] http://www.edge-security.com/wfuzz.php -- OOXML - Say NO To Microsoft Office broken standard http://www.noooxml.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org