Mark,
I agree with all of your comments 100%.
If you really wanted to conduct an in-depth security analysis, the best
bet is to hire a dedicated application security company to conduct a
targeted code review.
Most automated application security tools are crap. But for the sake of
academic research, the Fortify Tomcat report might be a little interesting.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat
codebase on a regular basis.
This probably only gives you 10% security coverage at best, but it's
a free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have much faith (hope for the
future yes - faith for the current crop no) in these tools. In summary:
- they are looking at 4.1.10, 5.5.20 and 6.?
- I don't know which TC6 version they analysed (but I suspect it is
quite old) since they never responded to my requests to add me to that
project and I lost interest
- there are so many false positives I got fed up looking at them
- the bug reporting is way to clunky compared to just using Eclipse or
any other decent IDE
- it missed most (all if I recall correctly - I don't have the time or
inclination to check) of the XSS issues we know were in 4.1.10 onwards
I maintain that you will get greater benefit for time invested just by
clearing the issues flagged by a decent IDE.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
