Securing Axis Best Practices Time Estimate

[Keast Ann <ke...@bah.com>]

Hi All,

How long does it typically take to secure Axis for a production
environment? 
I"m not talking about securing my webservice code - but Axis itself for
a production environment.

This is in reference to the "Securing Axis" section located on:
http://cvs.apache.org/viewcvs.cgi/~checkout~/ws-axis/java/docs/security.html

Thank you,
Ann

Re: Securing Axis Best Practices Time Estimate

[Keast Ann <ke...@bah.com>]

Hindsight is always 20/20 as they say - I was hoping to get a feel on
what it took from people who had done it. 

Please assume low familiarity with Axis source code. Also assume that
we're logging everything and we will not use Servlets2.3 filters.
This is really an estimate on hardening the Axis source code:
disguising, renaming stuff, and cutting down the build. 

If someone were to ask me, how long will it take for you to build a web
site that meets XYZ requirements? - I would be able to have a ballpark
estimate for the customer. This is the same type of question, only since
I don't really have experience securing Axis - I thought I'd ask other
people who do.

Thank you,
Ann


"matthew.hawthorne" wrote:
> 
> Keast Ann wrote:
> > How long does it typically take to secure Axis for a production
> > environment?
> > I"m not talking about securing my webservice code - but Axis itself for
> > a production environment.
> >
> > This is in reference to the "Securing Axis" section located on:
> > http://cvs.apache.org/viewcvs.cgi/~checkout~/ws-axis/java/docs/security.html
> 
> Although this is, in some ways, a simple question, I also find it to be
> a strange one.  If you are the person who will handle this task, but
> upon reading the list of things to do, couldn't come up with an
> estimate, then you will have to consider the time it will take for you
> to learn how to do these things, and then do them.
> 
> If there is someone else on your team who is also knowledgeable about
> Axis and servlets, perhaps you should ask them for an estimate?
> 
> Some of these items do involve writing code in your application, and
> also modifying the Axis source.  So, it's not just a configuration issue.
> 
> It seems impossible for anyone here to give you an accurate estimate,
> being that it depends on the skill and knowledge of the person who
> performs the task.  How could I possibly know how long it would take
> someone else to do these things?
> 
> Perhaps I'm looking at it the wrong way...

Re: Securing Axis Best Practices Time Estimate

["matthew.hawthorne" <ma...@apache.org>]

Keast Ann wrote:
> How long does it typically take to secure Axis for a production
> environment? 
> I"m not talking about securing my webservice code - but Axis itself for
> a production environment.
> 
> This is in reference to the "Securing Axis" section located on:
> http://cvs.apache.org/viewcvs.cgi/~checkout~/ws-axis/java/docs/security.html


Although this is, in some ways, a simple question, I also find it to be 
a strange one.  If you are the person who will handle this task, but 
upon reading the list of things to do, couldn't come up with an 
estimate, then you will have to consider the time it will take for you 
to learn how to do these things, and then do them.

If there is someone else on your team who is also knowledgeable about 
Axis and servlets, perhaps you should ask them for an estimate?

Some of these items do involve writing code in your application, and 
also modifying the Axis source.  So, it's not just a configuration issue.

It seems impossible for anyone here to give you an accurate estimate, 
being that it depends on the skill and knowledge of the person who 
performs the task.  How could I possibly know how long it would take 
someone else to do these things?

Perhaps I'm looking at it the wrong way...