You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Hoehle, Joerg-Cyril" <Jo...@t-systems.com> on 2005/12/02 12:38:07 UTC
performing a security analsysis on the Tomcat software
Dear tomcat developers,
BSI, the german Federal Office for Information Security
-- Bundesamt fur Sicherheit in der Informationstechnik
http://www.bsi.de, e-mail: oss@bund.bsi.de
endorses the use of Open Source software and has
contracted T-Systems to perform a security check on Tomcat.
The Federal Office for Information Security (BSI) is the central IT
security service provider for the German government. By our basic
research within the area of IT security we take responsibility for the
security of our society, and are thus indispensable to the internal
security of Germany. Our services and products are aimed at the users
and manufacturers of information technology products. Those are
primarily the public administration at federal, state and municipal
level, in addition companies and private users. As Germanys National
Security Agency, it is our goal to promote IT security in Germany so
that everyone can make the most of the opportunities opened up by the
information society.
As part of its activities, BSI has contracted the security engineering
group at T-Systems International to perform security-related testing of
the open source Tomcat software.
These activities comprise the following:
+ installation & documentation checks,
+ a source code review of mod_jk and selected parts of Tomcat,
+ penetration testing.
BSI is going to make the results of the analysis publicly available on
internet, so people will be able to download the study from their site.
Please contact oss@bund.bsi.de for any questions related to the
analysis, or feel free to mail me at Joerg-Cyril.Hoehle@T-Systems.com.
The analysis has already started. I think I owe you people an apology
for already having posted two bugreports (#37322 and #37332) prior to
this announcement of our activity to the mailing list.
We sincerely hope that our analysis will contribute to make Tomcat
even more robust and easy to deploy. So far, we are very pleased
with what we see, which gives us a good impression of the software.
Our goal is to publish to the bugtracker individual and separable
items which can be classified as bugs. We'll alert security@apache.org
for any serious security vulnerabilities we find (which is what
Bugzilla recommends). And finally, I plan to send a general summary
of findings to this mailing list when we'll have finished. These will
be the kind of findings and remarks that do not fit into individual
methods and modules but rather concern the software as a whole.
Regards,
Jorg Hohle.
Solution & Service Center Testfactory & Security
T-Systems International GmbH
Postal address: Deutsche-Telekom-Allee 7, 64295 Darmstadt
Tel. ++49 6151 937-6913
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org