-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sanaullah,
On 8/4/14, 9:19 PM, Sanaullah wrote: > Thanks to all. > > I was looking something similar to this [1] which is implemented in > JBoss. > > [1] > https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html Congratulations: > you'll pass a security audit that flags this as a problem. Fail: you have moved your password to another file, and not gained a single thing. You may now celebrate the incompetence of both your auditors and engineering staff for sidestepping an issue rather than soberly dealing with it head-on. This is why formal risk analyses are much better than crappy script-based security audits. First of all, they force you to be much more creative than a script you paid someone a huge sum of money to run that only tells you obvious things that a light reading of any OWASP documentation would already tell you, *and* it gives you the opportunity to say "this thing doesn't matter at all, and even if we *did* do something about it, it wouldn't make any damn bit of difference." It's time engineering teams started teaching management about security. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8 oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5 qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45 xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW jlzixmv5BOQjMFUJActT =yOJq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
