> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I > would like to collect as more as information as where you think I should > look at (code, security hole, etc.). I'm planning to do the audit using > the default SecurityManager. Rigth now, I have started looking at:
Although their goals and technology are different (an OS written in C), I believe anyone interested in helping might learn a lot by looking at OpenBSD (a free UNIX-like OS whose entire code base has been subjected to a careful (and ongoing!) security audit). They have some papers online; go to www.openbsd.org and look at press.html (which has links to various papers). Look for "auditing". -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>