Hi Chris, I don't want to pass the audit. I am just curious why Jboss implemented that ? and whats the purpose of SRP protocol implementation just to pass the audit?
[1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol Regards, Sanaullah On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sanaullah, > > On 8/4/14, 9:19 PM, Sanaullah wrote: > > Thanks to all. > > > > I was looking something similar to this [1] which is implemented in > > JBoss. > > > > [1] > > > https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html > > Congratulations: > > > you'll pass a security audit that flags this as a > problem. > > Fail: you have moved your password to another file, and not gained a > single thing. > > You may now celebrate the incompetence of both your auditors and > engineering staff for sidestepping an issue rather than soberly > dealing with it head-on. > > This is why formal risk analyses are much better than crappy > script-based security audits. First of all, they force you to be much > more creative than a script you paid someone a huge sum of money to > run that only tells you obvious things that a light reading of any > OWASP documentation would already tell you, *and* it gives you the > opportunity to say "this thing doesn't matter at all, and even if we > *did* do something about it, it wouldn't make any damn bit of difference." > > It's time engineering teams started teaching management about security. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi > Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s > jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r > 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM > QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC > KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8 > oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5 > qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN > j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft > cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45 > xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW > jlzixmv5BOQjMFUJActT > =yOJq > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
