Chris [combining messages]
cjb> Am I mistaken, but does vulnerability scanning software cjb> seem to feed on that sort of thing? cs> Most vulnerability scanners just try to detect your server's cs> version and look-up any publicly-reported vulnerabilities in cs> e.g. NVD. They are really stupid tools for the most part. cs> If you hired a real pen tester, they would probably run one cs> of those scanners first just to get some intel and then cs> dive-into attacking your application e.g. with request- cs> parameter munging. I failed to mention that a vulnerability scanner being used actually follows paths in the source code. I inferred that a clever hacker could figure out how to discover and exploit the vulnerabilities, that the scanner revealed, by reloading pages and varying parameters. cjb> For me, it's a twofold combination of (a) security cjb> concerns and (b) separation of responsibilities. cjb> a. Security - shrink the attack surface. cs> It's worth pointing-out that what's shrinking is the attack cs> surface *of the application*, not necessarily of JSP (as a cs> technology) itself. While I agree 100% with (a), here, it's cs> not because there is anything inherently risky about JSPs. cs> It's that most people end up writing really awful JSPs that cs> are full of holes. Good point. I was not faulting the JSP technology itself, but rather the contents of the JSP files. While the JSP's have been refactored a few times already, I think the next strategic step would be to move them to a safe(r) place. cjb> b. Separation of duties - I want the JSP's to simply render cjb> pages and the non-JSP servlets to do all the heavy lifting. cs> "separation of concerns" allows you to focus on one task in cs> one piece of code, instead of having a JSP that needs to enforce cs> security, sanitize inputs, query a database, manage the result cs> set, etc. all while providing error-handling, etc. Anything that cs> makes code more maintainable is a big +1 in my book. +1 cs> One of the ways I have kept my code as maintainable as possible cs> is by not using JSPs :) OK, I'll bite. What do you use instead of JSP? [Chris S. replies, "Yes, folks - hook, line, AND sinker!"] :-) -- Cris Berneburg CACI Lead Software Engineer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org