You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2020/09/29 11:25:57 UTC
Virtual event focussed on Tomcat Security
Hi all,
We (the Tomcat community) have some funding from Google to help us
improve Tomcat security. Our original plan was to use the funding to
support an in-person security focussed hackathon. As you would expect,
those plans are on hold for now. We would, therefore, like to explore
the possibility of doing something virtually.
The purpose of this email is to gather input from the community about
what such an event should look like. With that input we can put together
a plan for the event. So, over to you. What would your ideal virtual
event focussed on Tomcat Security look like?
Thanks,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Posted by Mark Thomas <ma...@apache.org>.
On 16/10/2020 14:21, Robert Hicks wrote:
> On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <ma...@apache.org> wrote:
>
>> On 29/09/2020 12:25, Mark Thomas wrote:
>>> Hi all,
>>>
>>> We (the Tomcat community) have some funding from Google to help us
>>> improve Tomcat security. Our original plan was to use the funding to
>>> support an in-person security focussed hackathon. As you would expect,
>>> those plans are on hold for now. We would, therefore, like to explore
>>> the possibility of doing something virtually.
>>>
>>> The purpose of this email is to gather input from the community about
>>> what such an event should look like. With that input we can put together
>>> a plan for the event. So, over to you. What would your ideal virtual
>>> event focussed on Tomcat Security look like?
>>
>> Summarising the suggestions so far:
>> - application security / OWASP
>> - making HTTP requests *from* Tomcat
>> - SSO / SAML / OpenIDConnect
>>
>> The first two are more application security focussed and would not have
>> to be Tomcat specific.
>>
>> The third is more likely to Tomcat specific depending on the extent to
>> which the SSO mechanism ties into Tomcat's internals.
>>
>> All the suggestions so far have been for conference like presentations
>> (if I am reading them correctly).
>>
>> Other possibilities:
>> - hackathon to implement (with support from committers) new security
>> features (no idea what these might be - suggestions welcome)
>>
>> - hackathon to run $tool_of_choice against Tomcat code base, review the
>> results and fix (with committer support) those that need fixing.
>> Suggestions as to tools to use welcome*
>>
>> Anything else you'd like to suggest that is related to Tomcat and security.
>>
>> There hasn't been any thought given to timing yet.
>>
>> Mark
>>
>>
>>
>> * I'll note that over the years most if not all of the major static
>> analysis tools have been run against the Tomcat code base and the
>> results have been very heavy on the false positives. Most of the work is
>> likely to be separating the few useful results from a lot of noise.
>>
>>
> Has a "when" been decided yet?
No. We need to talk to the ASF conferences team to see when the hopin
platform will be available.
Mark
>
> Thanks,
>
> Bob
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Posted by Robert Hicks <ro...@gmail.com>.
On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <ma...@apache.org> wrote:
> On 29/09/2020 12:25, Mark Thomas wrote:
> > Hi all,
> >
> > We (the Tomcat community) have some funding from Google to help us
> > improve Tomcat security. Our original plan was to use the funding to
> > support an in-person security focussed hackathon. As you would expect,
> > those plans are on hold for now. We would, therefore, like to explore
> > the possibility of doing something virtually.
> >
> > The purpose of this email is to gather input from the community about
> > what such an event should look like. With that input we can put together
> > a plan for the event. So, over to you. What would your ideal virtual
> > event focussed on Tomcat Security look like?
>
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
> - SSO / SAML / OpenIDConnect
>
> The first two are more application security focussed and would not have
> to be Tomcat specific.
>
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.
>
> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
>
> Other possibilities:
> - hackathon to implement (with support from committers) new security
> features (no idea what these might be - suggestions welcome)
>
> - hackathon to run $tool_of_choice against Tomcat code base, review the
> results and fix (with committer support) those that need fixing.
> Suggestions as to tools to use welcome*
>
> Anything else you'd like to suggest that is related to Tomcat and security.
>
> There hasn't been any thought given to timing yet.
>
> Mark
>
>
>
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.
>
>
Has a "when" been decided yet?
Thanks,
Bob
Re: Virtual event focussed on Tomcat Security
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 10/15/20 14:01, Mark Thomas wrote:
> On 29/09/2020 12:25, Mark Thomas wrote:
>> Hi all,
>>
>> We (the Tomcat community) have some funding from Google to help us
>> improve Tomcat security. Our original plan was to use the funding to
>> support an in-person security focussed hackathon. As you would expect,
>> those plans are on hold for now. We would, therefore, like to explore
>> the possibility of doing something virtually.
>>
>> The purpose of this email is to gather input from the community about
>> what such an event should look like. With that input we can put together
>> a plan for the event. So, over to you. What would your ideal virtual
>> event focussed on Tomcat Security look like?
>
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
> - SSO / SAML / OpenIDConnect
>
> The first two are more application security focused and would not have
> to be Tomcat specific.
>
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.
I've built incoming single-legged SAML SSO into my own application
without any external libraries, so I could led a group to work on this
kind of thing.
> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
>
> Other possibilities:
> - hackathon to implement (with support from committers) new security
> features (no idea what these might be - suggestions welcome)
>
> - hackathon to run $tool_of_choice against Tomcat code base, review the
> results and fix (with committer support) those that need fixing.
> Suggestions as to tools to use welcome*
>
> Anything else you'd like to suggest that is related to Tomcat and security.
>
> There hasn't been any thought given to timing yet.
>
> Mark
>
>
>
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.
+1
It's worth running new tools against Tomcat and then having many eyes
look at the list to determine false-positives.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Posted by Mark Thomas <ma...@apache.org>.
On 29/09/2020 12:25, Mark Thomas wrote:
> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put together
> a plan for the event. So, over to you. What would your ideal virtual
> event focussed on Tomcat Security look like?
Summarising the suggestions so far:
- application security / OWASP
- making HTTP requests *from* Tomcat
- SSO / SAML / OpenIDConnect
The first two are more application security focussed and would not have
to be Tomcat specific.
The third is more likely to Tomcat specific depending on the extent to
which the SSO mechanism ties into Tomcat's internals.
All the suggestions so far have been for conference like presentations
(if I am reading them correctly).
Other possibilities:
- hackathon to implement (with support from committers) new security
features (no idea what these might be - suggestions welcome)
- hackathon to run $tool_of_choice against Tomcat code base, review the
results and fix (with committer support) those that need fixing.
Suggestions as to tools to use welcome*
Anything else you'd like to suggest that is related to Tomcat and security.
There hasn't been any thought given to timing yet.
Mark
* I'll note that over the years most if not all of the major static
analysis tools have been run against the Tomcat code base and the
results have been very heavy on the false positives. Most of the work is
likely to be separating the few useful results from a lot of noise.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Virtual event focussed on Tomcat Security
Posted by jo...@wellsfargo.com.INVALID.
I really like the idea of this. Something similar to the ApacheCon, or a series of ZOOM meetings or such.
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, September 29, 2020 6:26 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Virtual event focussed on Tomcat Security
Hi all,
We (the Tomcat community) have some funding from Google to help us improve Tomcat security. Our original plan was to use the funding to support an in-person security focussed hackathon. As you would expect, those plans are on hold for now. We would, therefore, like to explore the possibility of doing something virtually.
The purpose of this email is to gather input from the community about what such an event should look like. With that input we can put together a plan for the event. So, over to you. What would your ideal virtual event focussed on Tomcat Security look like?
Thanks,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Posted by Luis Rodríguez Fernández <uo...@gmail.com>.
Hello there,
Sounds good!
For the authentication of our tomcat applications we rely on a SSO solution
(keycloak) using standards like SAML and OpenIDConnect. Maybe a session
about this can fit in the event. I would be interested in what other folks
are doing in this field.
Thanks,
Luis
El jue., 1 oct. 2020 a las 17:19, Christopher Schultz (<
chris@christopherschultz.net>) escribió:
> Raghu,
>
> On 9/30/20 10:35, Mysore, Raghunath wrote:
> > This plan about Tomcat security is very nice. We look forward to the
> meetings.
> >
> > Could we have a session related to " Best practices for using Tomcat
> > + (Apache Web Server) Forward Proxy (FP) combo in a real production
> > environment " where an application hosted in Tomcat (web) container,
> > targets a destination system in the internet, through the FP ?
> There are some presentations already on our "presentations" page that
> might address some of your questions. Is there something specific that
> is missing?
>
> http://tomcat.apache.org/presentations.html
>
> > The application communicates with the destination system on a TLS
> > channel. The FP is placed in a perimeter zone. The role of FP is to
> > route the intranet traffic to the destination system in internet.
>
> This sounds like a fairly specific use-case. Are you looking for help in
> building such a system, or some suggestions for making sure that it's
> secure, high-performance, etc.?
>
> > Is there any generalized document that makes assessment (and
> > recommendations) of a Tomcat plus a Forward Proxy combo, in a real
> > word set up ?
> No, but it would probably be an interesting subject for a presentation.
> Maybe you could work with others in the community to develop such a
> presentation and in fact present it at an upcoming conference!
>
> -chris
>
> > -----Original Message-----
> > From: Maarten van Hulsentop <ma...@vanhulsentop.nl>
> > Sent: Wednesday, September 30, 2020 3:10 AM
> > To: Tomcat Users List <us...@tomcat.apache.org>
> > Subject: Re: Virtual event focussed on Tomcat Security
> >
> > Hi Mark,
> >
> > This sounds like a great idea to me. Security is a very important topic,
> and the maturity of the Tomcat makes it a very secure choice for users. I
> am sure a lot of people will be interested to join in.
> >
> > What is not completely clear to me on this event; would this event be
> focussed on improving the security of Tomcat from within (as a Hackathon
> suggests)? Like trying to find security flaws/improvements and get them
> fixed.
> > or is this meant to be an educational event where information is shared
> about secure setups/hardening of the Tomcat in production systems? Or a
> little of both?
> >
> > For the educational/hardening aspect, it could be nice to team up
> with/involve OWASP?
> >
> > I am surely interested to pitch in on this topic!
> >
> > Kind regards,
> >
> > Maarten van Hulsentop
> >
> > Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>:
> >
> >> Hi all,
> >>
> >> We (the Tomcat community) have some funding from Google to help us
> >> improve Tomcat security. Our original plan was to use the funding to
> >> support an in-person security focussed hackathon. As you would expect,
> >> those plans are on hold for now. We would, therefore, like to explore
> >> the possibility of doing something virtually.
> >>
> >> The purpose of this email is to gather input from the community about
> >> what such an event should look like. With that input we can put
> >> together a plan for the event. So, over to you. What would your ideal
> >> virtual event focussed on Tomcat Security look like?
> >>
> >> Thanks,
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
Re: Virtual event focussed on Tomcat Security
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Raghu,
On 9/30/20 10:35, Mysore, Raghunath wrote:
> This plan about Tomcat security is very nice. We look forward to the meetings.
>
> Could we have a session related to " Best practices for using Tomcat
> + (Apache Web Server) Forward Proxy (FP) combo in a real production
> environment " where an application hosted in Tomcat (web) container,
> targets a destination system in the internet, through the FP ?
There are some presentations already on our "presentations" page that
might address some of your questions. Is there something specific that
is missing?
http://tomcat.apache.org/presentations.html
> The application communicates with the destination system on a TLS
> channel. The FP is placed in a perimeter zone. The role of FP is to
> route the intranet traffic to the destination system in internet.
This sounds like a fairly specific use-case. Are you looking for help in
building such a system, or some suggestions for making sure that it's
secure, high-performance, etc.?
> Is there any generalized document that makes assessment (and
> recommendations) of a Tomcat plus a Forward Proxy combo, in a real
> word set up ?
No, but it would probably be an interesting subject for a presentation.
Maybe you could work with others in the community to develop such a
presentation and in fact present it at an upcoming conference!
-chris
> -----Original Message-----
> From: Maarten van Hulsentop <ma...@vanhulsentop.nl>
> Sent: Wednesday, September 30, 2020 3:10 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Virtual event focussed on Tomcat Security
>
> Hi Mark,
>
> This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in.
>
> What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed.
> or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both?
>
> For the educational/hardening aspect, it could be nice to team up with/involve OWASP?
>
> I am surely interested to pitch in on this topic!
>
> Kind regards,
>
> Maarten van Hulsentop
>
> Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>:
>
>> Hi all,
>>
>> We (the Tomcat community) have some funding from Google to help us
>> improve Tomcat security. Our original plan was to use the funding to
>> support an in-person security focussed hackathon. As you would expect,
>> those plans are on hold for now. We would, therefore, like to explore
>> the possibility of doing something virtually.
>>
>> The purpose of this email is to gather input from the community about
>> what such an event should look like. With that input we can put
>> together a plan for the event. So, over to you. What would your ideal
>> virtual event focussed on Tomcat Security look like?
>>
>> Thanks,
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Virtual event focussed on Tomcat Security
Posted by "Mysore, Raghunath" <rm...@visa.com.INVALID>.
Greetings, Folks
This plan about Tomcat security is very nice. We look forward to the meetings.
Could we have a session related to " Best practices for using Tomcat + (Apache Web Server) Forward Proxy (FP) combo in a real production environment " where an application hosted in Tomcat (web) container, targets a destination system in the internet, through the FP ?
The application communicates with the destination system on a TLS channel. The FP is placed in a perimeter zone. The role of FP is to route the intranet traffic to the destination system in internet.
If it is desired to have TLS terminated on the FP, and a SSL (or TLS) intercept is being sought - what is the best way to accomplish this interception (so that the application's communication reaches the destination system smoothly) ?
The TLS intercept portion intends to decrypt the TLS transactions, check for security compliance and then re-encrypt to push the traffic to the destination system.
Is there any generalized document that makes assessment (and recommendations) of a Tomcat plus a Forward Proxy combo, in a real word set up ?
Thanks,
-Raghu
-----Original Message-----
From: Maarten van Hulsentop <ma...@vanhulsentop.nl>
Sent: Wednesday, September 30, 2020 3:10 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Virtual event focussed on Tomcat Security
Hi Mark,
This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in.
What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed.
or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both?
For the educational/hardening aspect, it could be nice to team up with/involve OWASP?
I am surely interested to pitch in on this topic!
Kind regards,
Maarten van Hulsentop
Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>:
> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put
> together a plan for the event. So, over to you. What would your ideal
> virtual event focussed on Tomcat Security look like?
>
> Thanks,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Virtual event focussed on Tomcat Security
Posted by Maarten van Hulsentop <ma...@vanhulsentop.nl>.
Hi Mark,
This sounds like a great idea to me. Security is a very important topic,
and the maturity of the Tomcat makes it a very secure choice for users. I
am sure a lot of people will be interested to join in.
What is not completely clear to me on this event; would this event be
focussed on improving the security of Tomcat from within (as a Hackathon
suggests)? Like trying to find security flaws/improvements and get them
fixed.
or is this meant to be an educational event where information is shared
about secure setups/hardening of the Tomcat in production systems? Or a
little of both?
For the educational/hardening aspect, it could be nice to team up
with/involve OWASP?
I am surely interested to pitch in on this topic!
Kind regards,
Maarten van Hulsentop
Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>:
> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put together
> a plan for the event. So, over to you. What would your ideal virtual
> event focussed on Tomcat Security look like?
>
> Thanks,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>