On 29/09/2020 12:25, Mark Thomas wrote: > Hi all, > > We (the Tomcat community) have some funding from Google to help us > improve Tomcat security. Our original plan was to use the funding to > support an in-person security focussed hackathon. As you would expect, > those plans are on hold for now. We would, therefore, like to explore > the possibility of doing something virtually. > > The purpose of this email is to gather input from the community about > what such an event should look like. With that input we can put together > a plan for the event. So, over to you. What would your ideal virtual > event focussed on Tomcat Security look like?
Summarising the suggestions so far: - application security / OWASP - making HTTP requests *from* Tomcat - SSO / SAML / OpenIDConnect The first two are more application security focussed and would not have to be Tomcat specific. The third is more likely to Tomcat specific depending on the extent to which the SSO mechanism ties into Tomcat's internals. All the suggestions so far have been for conference like presentations (if I am reading them correctly). Other possibilities: - hackathon to implement (with support from committers) new security features (no idea what these might be - suggestions welcome) - hackathon to run $tool_of_choice against Tomcat code base, review the results and fix (with committer support) those that need fixing. Suggestions as to tools to use welcome* Anything else you'd like to suggest that is related to Tomcat and security. There hasn't been any thought given to timing yet. Mark * I'll note that over the years most if not all of the major static analysis tools have been run against the Tomcat code base and the results have been very heavy on the false positives. Most of the work is likely to be separating the few useful results from a lot of noise. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
