tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JKS keystore password Encryption
Date Wed, 06 Aug 2014 00:34:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sanaullah,

On 8/4/14, 9:19 PM, Sanaullah wrote:
> Thanks to all.
> 
> I was looking something similar to this [1] which is implemented in
> JBoss.
> 
> [1] 
> https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html

Congratulations:
> 
you'll pass a security audit that flags this as a
problem.

Fail: you have moved your password to another file, and not gained a
single thing.

You may now celebrate the incompetence of both your auditors and
engineering staff for sidestepping an issue rather than soberly
dealing with it head-on.

This is why formal risk analyses are much better than crappy
script-based security audits. First of all, they force you to be much
more creative than a script you paid someone a huge sum of money to
run that only tells you obvious things that a light reading of any
OWASP documentation would already tell you, *and* it gives you the
opportunity to say "this thing doesn't matter at all, and even if we
*did* do something about it, it wouldn't make any damn bit of difference."

It's time engineering teams started teaching management about security.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi
Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s
jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r
04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM
QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC
KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8
oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5
qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN
j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft
cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45
xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW
jlzixmv5BOQjMFUJActT
=yOJq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message