Michael Osipov wrote:
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
We do occasionally receive reports to the security team that provide
outputs from various security testing tools. In short, the output is nearly
always complete garbage. For example, on one occasion a handful of XSS
issues were reported all of which were invalid whilst valid XSS issues
(later reported by others) were completely missed.
I have yet to see an automated security test tool that offers any useful
output against the Tomcat code base.
If you want to test a security audit tool then you can run it against an
old 4.1.x, 5.5.x or 6.0.x tag and see if it identifies any of the the
issues listed on the security pages.
The majority of our security reports come:
- from security researches who review, for whatever reason, parts of the
code they believe to be vulnerable to attack
- users that discover a security issue through normal use
We also review every issue to see if there may be other places in the
codebase that are affected that the reporter did not mention. For example
we had a couple of XSS in the examples and when we looked at the rest of
the examples code we found a few more.
Every commit is reviewed by three committers before it is applied. Security
is one of the considerations when reviewing a patch.
Getting off topic a little, where I think automated tools do have something
to offer is in the area of finding bugs. Checking for unused variables etc
often highlights (usually minor) bugs. Find bugs, PMD, checkstyle, the
stuff built in to Eclipse all have something to offer in this area.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
