The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my Bachelor's thesis
"Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
tools
Apache Tomcat is a extremely popular servlet engine. The nature of the
application offers to compromise the web apps and reveal sensitive data.
It does not seem that Tomcat cannot be tested the classic way web apps
are, e.g. testing with fuzzer for SQL injection, parameter tampering,
path traversal etc.
So far, I have search the repository and the ant build.xml, the homepage
and the mailing list.The homepage and mailing list revealed no
information at all to me.
I did find that you refer to security audit conducted against the 5.0
codebase [2]. Unfortunately, no information was given what was found and
what measures have been taken afterwards.
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
Thanks in advance,
Michael
[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
[2] http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
[3] http://tomcat.apache.org/security-6.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
