Thanks Jarek and Prasad for getting the ball rolling. ++Vamsi
On 10/30/07, Prasad Kashyap <[EMAIL PROTECTED]> wrote: > > I agree. Our strategy to make Geronimo secure should include an > elaborate set of unit testcases, a rich set of tests in the > security-testsuite in our testsuite framework, along with peer > review of code in components that are potential security risks. > > We should aim to have imbricate or maybe even duplicate tests than have > gaps. > > Towards this end, I created a security-testsuite in our testsuite > framework. It contains one test now. I shall add some more soon. > Please contribute to this testsuite with more and more tests that you > can think of. > > Thanx > Prasad > > On 10/29/07, Jarek Gawor <[EMAIL PROTECTED]> wrote: > > A few security problems were discovered in Geronimo in the last few > > months and weeks. Most of them were Geronimo-specific except one. > > Therefore, I think we should spend a little bit of our time to review > > our code and check for potential security problems. > > As the first step, I think we should identify components that make > > security decisions (e.g. LoginModules) or enable access to server > > management and control (e.g. MEJB) or any other components that might > > be important for sever security. > > Once we have a few components identified we can start the review. > > Besides finding and fixing the potential security problems during the > > review we must also ensure that we have decent tests for these > > components that cover a range of inputs. For each problem that we do > > discover, we must write a test case to make sure it never happens > > again. Basically, a problem is not fully addressed until we have a > > test for it. > > > > For now, I created the following page where we can keep track of the > > components and the review: > > http://cwiki.apache.org/confluence/display/GMOxDEV/Security+Review > > Feel free to update it in any way. > > > > Opinions? Ideas? Thoughts? > > > > Jarek > > >
