On Thursday, March 29, 2012 4:23:17 PM UTC-4, Joseph Lust wrote: > > They appear to be companies using antiquated software and GWT being called > out is a bit of sensationalist cry by the authors. For example, they place > in their chart "GWT" at the top, not "GWT 1.6/7." That is to say that not > all GWT applications are vulnerable, just the really old, rot in place > ones. They also call out SpringMVC 2.5.6, while we're rocking on 3.0.10 > these days.
Yeah, I wish I had more information on how they derived those numbers and what they mean. Do those numbers for GWT only include those versions that had reported vulnerabilities, and which ones? Being able to trace their chart back to specific details would be useful, because without that I'm not sure how much weight to put on their results. > The gaping omission of the article is that most such *Global 500* firms > software development is for *internal components*. If at my office and > most others, we don't see an internal meeting scheduling app written in GWT > 1.6 to be a serious issue. However, client/external facing applications are > a whole different can of beans which have many rounds of reviews before > release and continuing audits. I'd estimate only 5% of our applications are > externally visible, and the real number is likely lower than that. > Yes, that's certainly something to consider; although ideally you wouldn't be using components with known vulnerabilities internally, the risk of doing so is somewhat lower. > The real take away message is that Maven needs an audit feature to check > your POM for known vulnerabilities, say at compile time. > Although it's often the technology management that wants the audit features, not the individual developer -- that's why the repository-level oversight has some appeal for some organizations, I think. - Geoffrey -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/NFXatA0yUpoJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
