https://bz.apache.org/bugzilla/show_bug.cgi?id=62582
--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to ABakerIII from comment #3) > Mark Thomas : I have seen several yr old, known vulnerabilities in many open > source projects. Many of those could be detected by OWASP D.C. and culled. > I have seen new exploitation mechanisms be used that finds newly discovered > vulnerabilities in old-legacy jars. Feel free to run this against Tomcat and report any results you find. > Christopher Schultz : On frequency of running the report. It depends on the > rate of change of the project(how many new libaries are added per > week/month), and the rate of new vulnerability discovery in the set of > existing libraries per week/month to deternine how often the report should > be run, and read. In new systems, when 5-10 libs are being added daily, the > report should be run nightly. In Tomcat ??? start with weekly ? If after a > while there are more than four weeks that go by without a true positive, > perhaps monthly is OK. The library turnover in Tomcat is ... exceedingly low. > IMO, its a falicy to complain about a small performance hit once per week > compared to the number of instances of sites that get broken into, PII > stolen, money stolen, other nefaurious that bad actors could do. Its a far > away issue until it happens to you or someone close to you. Also it is > common for these open source systems to be used in critical infrastructure, > banking, gov, military. A once weekly performance penalty is a small price. Okay, let's see. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
