RE: RE: Who use Tomcat as a stand-alone server in production envi ronm ent ?

["Cox, Charlie" <cc...@cincom.com>]

> -----Original Message-----
> From: Kim Altintop [mailto:kim@deepfx.com]
> Sent: Wednesday, March 27, 2002 5:04 PM
> To: Tomcat Users List
> Subject: Re: RE: Who use Tomcat as a stand-alone server in production
> environm ent ?
> 
> 
> Hi Charlie,
> 
> >> no, I don't use a security manager. My machine is secure, 
> so I am not
> >> concerned about rogue servlets somehow making their way to 
> my system. I
> >> would be more concerned about it if we had a more 
> developers, used third
> >> party software(non-open source), etc.
> 
> Hum, that's an interesting statement... I once read the following
> somewhere: "If you don't know how to break it, that doesn't mean it's
> secure". However, I also tend to trust my own software. But how do you
> explain that to your customers? Using the exact words you 
> used above, I
> guess ;-)
> 

well, I didn't want to disclose all aspects of my system, in case there is
vulnerability... My advantage is that my customers are all internal, so they
don't challenge our knowledge as an outside client would if I were
outsourcing/hosting.

don't get me wrong - we have done security testing - we used SiteAngel to
send several hundred unique requests through our server and the only warning
was that we were using windows. Certainly this doesn't cover all
possibilities, but it is a good test.

So its not as if I'm ignoring security altogether, its just that the layers
that we have in place now are sufficient for the sites. SecurityManager was
just one extra layer that I haven't yet looked into.

Charlie

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>