On 10/15/20 14:01, Mark Thomas wrote:
> On 29/09/2020 12:25, Mark Thomas wrote:
>> Hi all,
>> We (the Tomcat community) have some funding from Google to help us
>> improve Tomcat security. Our original plan was to use the funding to
>> support an in-person security focussed hackathon. As you would expect,
>> those plans are on hold for now. We would, therefore, like to explore
>> the possibility of doing something virtually.
>> The purpose of this email is to gather input from the community about
>> what such an event should look like. With that input we can put together
>> a plan for the event. So, over to you. What would your ideal virtual
>> event focussed on Tomcat Security look like?
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
>  - SSO / SAML / OpenIDConnect
> The first two are more application security focused and would not have
> to be Tomcat specific.
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.

I've built incoming single-legged SAML SSO into my own application
without any external libraries, so I could led a group to work on this
kind of thing.

> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
> Other possibilities:
> - hackathon to implement (with support from committers) new security
>   features (no idea what these might be - suggestions welcome)
> - hackathon to run $tool_of_choice against Tomcat code base, review the
>   results and fix (with committer support) those that need fixing.
>   Suggestions as to tools to use welcome*
> Anything else you'd like to suggest that is related to Tomcat and security.
> There hasn't been any thought given to timing yet.
> Mark
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.


It's worth running new tools against Tomcat and then having many eyes
look at the list to determine false-positives.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to