tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <>
Subject Re: Assuring Security by testing
Date Wed, 30 Apr 2008 13:56:12 GMT

I agree with all of your comments 100%.

If you really wanted to conduct an in-depth security analysis, the best 
bet is to hire a dedicated application security company to conduct a 
targeted code review.

Most automated application security tools are crap. But for the sake of 
academic research, the Fortify Tomcat report might be a little interesting.

Jim Manico, Senior Application Security Engineer |
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source

> Jim Manico wrote:
>> The Fortify Opensource project automatically scans the Tomcat 
>> codebase on a regular basis.
>> This probably only gives you 10% security coverage at best, but it's 
>> a free report form a $50k tool.
> A great example of why I have don't have much faith (hope for the 
> future yes - faith for the current crop no) in these tools. In summary:
> - they are looking at 4.1.10, 5.5.20 and 6.?
> - I don't know which TC6 version they analysed (but I suspect it is 
> quite old) since they never responded to my requests to add me to that 
> project and I lost interest
> - there are so many false positives I got fed up looking at them
> - the bug reporting is way to clunky compared to just using Eclipse or 
> any other decent IDE
> - it missed most (all if I recall correctly - I don't have the time or 
> inclination to check) of the XSS issues we know were in 4.1.10 onwards
> I maintain that you will get greater benefit for time invested just by 
> clearing the issues flagged by a decent IDE.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message