One of the tools the federal government uses is Retina ( http://www.eeye.com/Products/Retina.aspx) - so if your customer is in that arena...that will keep you 90-95% ahead of them. In my experience, it's quite verbose and comes up with a lot of items that can/is mitigated based on implementation or additional security practices taken. But, as a 'discovery' tool, it's quite good.
It's not open source, but at least you don't have to have another salaried employee working on this full time. Cheers, S On Mon, Jul 26, 2010 at 9:43 AM, camden.h...@gmail.com < camden.h...@gmail.com> wrote: > Hey everyone, > > I have been presented with a problem that I cannot imagine is unique - > and I hope that someone out there can point me in the right > direction! > > I am responsible for an application deployed in a JBoss environment > where we use a number of 3rd party libraries - obviously the JBoss > stuff, plus Spring, Hibernate, Castor, commons-*, and a couple of > dozen other jars. > > At one of our customers their IS team has turned around and presented > us with a security schedule, mapping types of vulnerability to various > categories. They are fairly...aggressive...in their expectations in > updating components that have problems. > > I would like to be able to stay (at least) one step ahead of them and > actively monitor for announcements of problems and fixes. Is anyone > aware of any tools/services out there that would let us say which tool/ > library we are interested in and get regular notifications of > problems? > > Like I say - I can't imagine this is unique. In a bigger organisation > I'm sure we'd have our own team to do this monitoring, but we are a > relatively small company and given the number of libraries out there > we make use of (often transitively, making things more complex) this > would soak up a vast amount of resources. > > Thanks... > > Camden > > -- > You received this message because you are subscribed to the Google Groups > "The Java Posse" group. > To post to this group, send email to javapo...@googlegroups.com. > To unsubscribe from this group, send email to > javaposse+unsubscr...@googlegroups.com<javaposse%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > > -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to javapo...@googlegroups.com. To unsubscribe from this group, send email to javaposse+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
