On 16/10/2020 14:21, Robert Hicks wrote:
> On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <ma...@apache.org> wrote:
>
>> On 29/09/2020 12:25, Mark Thomas wrote:
>>> Hi all,
>>>
>>> We (the Tomcat community) have some funding from Google to help us
>>> improve Tomcat security. Our original plan was to use the funding to
>>> support an in-person security focussed hackathon. As you would expect,
>>> those plans are on hold for now. We would, therefore, like to explore
>>> the possibility of doing something virtually.
>>>
>>> The purpose of this email is to gather input from the community about
>>> what such an event should look like. With that input we can put together
>>> a plan for the event. So, over to you. What would your ideal virtual
>>> event focussed on Tomcat Security look like?
>>
>> Summarising the suggestions so far:
>> - application security / OWASP
>> - making HTTP requests *from* Tomcat
>> - SSO / SAML / OpenIDConnect
>>
>> The first two are more application security focussed and would not have
>> to be Tomcat specific.
>>
>> The third is more likely to Tomcat specific depending on the extent to
>> which the SSO mechanism ties into Tomcat's internals.
>>
>> All the suggestions so far have been for conference like presentations
>> (if I am reading them correctly).
>>
>> Other possibilities:
>> - hackathon to implement (with support from committers) new security
>> features (no idea what these might be - suggestions welcome)
>>
>> - hackathon to run $tool_of_choice against Tomcat code base, review the
>> results and fix (with committer support) those that need fixing.
>> Suggestions as to tools to use welcome*
>>
>> Anything else you'd like to suggest that is related to Tomcat and security.
>>
>> There hasn't been any thought given to timing yet.
>>
>> Mark
>>
>>
>>
>> * I'll note that over the years most if not all of the major static
>> analysis tools have been run against the Tomcat code base and the
>> results have been very heavy on the false positives. Most of the work is
>> likely to be separating the few useful results from a lot of noise.
>>
>>
> Has a "when" been decided yet?
No. We need to talk to the ASF conferences team to see when the hopin
platform will be available.
Mark
>
> Thanks,
>
> Bob
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
