SSDLC Compliance

["GAN Kok Leong, Adrian" <ga...@stee.stengg.com>]

Hi,

We have a cybersecurity requirement for all software. We would like to know whether Tomcat version 7.0.25 is developed and comply with Secure Software Development Life Cycle (SSDLC)?

Regards
Adrian Gan


[This e-mail is confidential and may be privileged. If you are not the
intended recipient, please kindly notify us immediately and delete the message
from your system; please do not copy or use it for any purpose, nor disclose
its contents to any other person. Thank you.]
---ST Electronics Group---


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSDLC Compliance

[Mark Thomas <ma...@apache.org>]

On 06/12/2016 07:21, GAN Kok Leong, Adrian wrote:
> Hi,
> 
> We have a cybersecurity requirement for all software. We would like
> to know whether Tomcat version 7.0.25 is developed and comply with
> Secure Software Development Life Cycle (SSDLC)?

This sounds suspiciously like a security box ticking exercise. I'm sure
someone could make the case that Tomcat development does use a SSDLC
just as easily as someone could make that case that it does not.

A focus on actual security rather than box ticking might ask "Are there
known security vulnerabilities in a piece of software released 4, almost
5, years ago and if there are, why are we still using it?" The answer to
the first part of that question may be found here:

http://tomcat.apache.org/security-7.html

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org