Mark, On 10/15/20 14:01, Mark Thomas wrote: > On 29/09/2020 12:25, Mark Thomas wrote: >> Hi all, >> >> We (the Tomcat community) have some funding from Google to help us >> improve Tomcat security. Our original plan was to use the funding to >> support an in-person security focussed hackathon. As you would expect, >> those plans are on hold for now. We would, therefore, like to explore >> the possibility of doing something virtually. >> >> The purpose of this email is to gather input from the community about >> what such an event should look like. With that input we can put together >> a plan for the event. So, over to you. What would your ideal virtual >> event focussed on Tomcat Security look like? > > Summarising the suggestions so far: > - application security / OWASP > - making HTTP requests *from* Tomcat > - SSO / SAML / OpenIDConnect > > The first two are more application security focused and would not have > to be Tomcat specific. > > The third is more likely to Tomcat specific depending on the extent to > which the SSO mechanism ties into Tomcat's internals.
I've built incoming single-legged SAML SSO into my own application without any external libraries, so I could led a group to work on this kind of thing. > All the suggestions so far have been for conference like presentations > (if I am reading them correctly). > > Other possibilities: > - hackathon to implement (with support from committers) new security > features (no idea what these might be - suggestions welcome) > > - hackathon to run $tool_of_choice against Tomcat code base, review the > results and fix (with committer support) those that need fixing. > Suggestions as to tools to use welcome* > > Anything else you'd like to suggest that is related to Tomcat and security. > > There hasn't been any thought given to timing yet. > > Mark > > > > * I'll note that over the years most if not all of the major static > analysis tools have been run against the Tomcat code base and the > results have been very heavy on the false positives. Most of the work is > likely to be separating the few useful results from a lot of noise. +1 It's worth running new tools against Tomcat and then having many eyes look at the list to determine false-positives. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org