-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus,
Milanez, Marcus wrote: | We are currently using the steps published by OWASP too, in terms of | tomcat configuration (there are application related security issues that | are not covered by the article). Is there something else we should be | aware of, that is not described? Tomcat itself is relatively secure. What you really ought to worry about is your own application. What is the longest password you allow? What is the shortest password you allow? Are passwords easy to guess? Are they easy to change? Are there ways to coax information out of your database without authenticating? Are there ways to store content in the database that will result in possible XSS attacks against your customers? What about the amount of damage an insider can accomplish? Can an administrator see users' passwords? Etc., etc., etc... These are all not Tomcat-related, so there's not really any one source of information from them. Basically, you have to think like a cracker and try to subvert your own infrastructure. Anything that feels weak probably is. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfqWxkACgkQ9CaO5/Lv0PAiHgCguETQphfVjCpd3mJVqMz9MYex LUIAoLTGgOVHZ04D/rCgAj7QrmS8giae =0ak5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
