On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <ma...@apache.org> wrote:
> On 29/09/2020 12:25, Mark Thomas wrote: > > Hi all, > > > > We (the Tomcat community) have some funding from Google to help us > > improve Tomcat security. Our original plan was to use the funding to > > support an in-person security focussed hackathon. As you would expect, > > those plans are on hold for now. We would, therefore, like to explore > > the possibility of doing something virtually. > > > > The purpose of this email is to gather input from the community about > > what such an event should look like. With that input we can put together > > a plan for the event. So, over to you. What would your ideal virtual > > event focussed on Tomcat Security look like? > > Summarising the suggestions so far: > - application security / OWASP > - making HTTP requests *from* Tomcat > - SSO / SAML / OpenIDConnect > > The first two are more application security focussed and would not have > to be Tomcat specific. > > The third is more likely to Tomcat specific depending on the extent to > which the SSO mechanism ties into Tomcat's internals. > > All the suggestions so far have been for conference like presentations > (if I am reading them correctly). > > Other possibilities: > - hackathon to implement (with support from committers) new security > features (no idea what these might be - suggestions welcome) > > - hackathon to run $tool_of_choice against Tomcat code base, review the > results and fix (with committer support) those that need fixing. > Suggestions as to tools to use welcome* > > Anything else you'd like to suggest that is related to Tomcat and security. > > There hasn't been any thought given to timing yet. > > Mark > > > > * I'll note that over the years most if not all of the major static > analysis tools have been run against the Tomcat code base and the > results have been very heavy on the false positives. Most of the work is > likely to be separating the few useful results from a lot of noise. > > Has a "when" been decided yet? Thanks, Bob