Quick review of outline for Tomcat security presentation?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Quick review of outline for Tomcat security presentation?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm going to be presenting at the upcoming Apache RoadShow in
Washington, DC  -- Monday, March 25th if you are local -- and my
presentation is on locking-down Tomcat.

I have an outline that I'd like anyone to take a look at. It's only 15
slides long and will take someone about 60 seconds to read-through.

I'm wondering if I'm missing anything important.

The audience will be (probably) from college students to system
administrators, so it won't go into excruciating detail about
everything. More of a checklist of things to consider and WHY.

If anyone is willing to take a quick look and give me some feedback,
I'd appreciate it.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhqL4ACgkQHPApP6U8
pFjOEg//RvAfVbgUhcnMIWygnhms0gqitF61UDEv4lynEFtOCsn25F7LpgvJoJMQ
ponggGNbJktgvqcEcNN05VQHGPjXrxMp1KN0goA5P14wo+ZCiCKEPHLkgVdqGx8D
HeS7iV5l+gEecIswKD0ShayFEE0mzwpdRch8Fu9PrQxHCCvTKH+Nn6Z788fWd85e
bVZQbtZzppkQvI4gL4VQTvxS1+PMhTg0j4O5AOYK500sNRcjD9RVjBe5F/6D/jLF
psJlE5JpQcDi6AUBMx3EfFd0CeBHHm0kEAwVVYMwzOtawfvQucX7AzPJi0AmnHp5
RnnId4ZRuft4E2aIZMXrrp0GwnaUbzpOaz2/XhaR3+Eah2h6MXGh/3KLI6lj2cPI
keLQwPgYhItV0xpbdbdJVMgJcc6HIyxHeDBNQiMMkxqJAO4HlcL62V+EYZN4OKlc
CK3WVIaMs4MicVeVmiSh3c2VWr4hhajpqSGDlpgYEVTpWofK1THXuq000o7ctJ1M
zeZa0YY4Fq3VeWgpc3mZSRmtItfavaKfz26jE9qpeTiKz2QdcV3RPGxvfTGuL2Y+
POP7NIwBh0cbfXNsfNUj/Btftp9VtbNGZvpmBoD1MEtg9Z5+OebUZcG2hsvUDHby
3RJDI+WOId5izbd0UmHJnnkIqwA2vM/CMNATTAxGYTKIENbb1ds=
=ihtq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quick review of outline for Tomcat security presentation?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

New and improved! With a link to the outline!

https://people.apache.org/~schultz/Apache%20RoadShow%20DC%202019/Locking
- -Down%20Apache%20Tomcat_outline.pdf

Thanks,
- -chris

On 2/11/19 11:54, Christopher Schultz wrote:

> All,
>
> I'm going to be presenting at the upcoming Apache RoadShow in
> Washington, DC  -- Monday, March 25th if you are local -- and my
> presentation is on locking-down Tomcat.
>
> I have an outline that I'd like anyone to take a look at. It's only
> 15 slides long and will take someone about 60 seconds to
> read-through.
>
> I'm wondering if I'm missing anything important.
>
> The audience will be (probably) from college students to system
> administrators, so it won't go into excruciating detail about
> everything. More of a checklist of things to consider and WHY.
>
> If anyone is willing to take a quick look and give me some
> feedback, I'd appreciate it.
>
> Thanks, -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxh0rwACgkQHPApP6U8
pFgBQRAAnb+WlJ5acy6tTZ5qNyvu5rWKb+G/08XJF69EsvSR3wFLyv9qhKLJU8Tt
rWqRsjbScHIvqHPxL+B97zRwP2d6Xy3KsKdRwOx2yC/Cy8zGcIP4AeGrD1rMIMkl
iJwZTwcAo7QHZC/053lSVx03gdBauN114AXC5USvngIq8Gyr3174lm22sKs8DXrI
PUFCjaCYaoolb1F15v8bd5Kff+No9OQf5Vi+b3TN09pVA2B4KInt8Hn/96C0A5Dg
yGl7HLWngXKVW8w3aKLjJWQbHsmTmFJK6AhLz1z7Lwvs1QsAxGdUBtgOBnGQDRVz
ryJVeV1bjlnmJoAwEfawkTKRyF7d1ccFQ2zlgRyGAU0GYPtApql6m88dy/SomWdb
MYgIUvyNvx0TgGsNXOZwKo3Mn1Hiz1KZwbE5GB8CdxkKlk68U1V3DzszTA0g3Ikn
xzCtjoJwIejg8lWwJZS4l0REcpk0eNz1H6SodIQJQIzK/tQ3K+DQ/nunXn2mNBy/
JMe/fPPutyLBAVNzzJ32DD9HcAk9B4p38nd+GpiJmaHVJ4uIy7NFeIIduzY5+jSv
2uN99juPRciFd87z7eW0NScoSFaJS2DO06XGJPHBzKDHK7PTBJqaNm/SaTR/aet6
gae6vAdgFKG4gIleOJvNhoN+2SYScPyEdSfb71ijBs663gPW9eQ=
=keOa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quick review of outline for Tomcat security presentation?

Mark Thomas-2
On 11/02/2019 19:53, Christopher Schultz wrote:
> https://people.apache.org/~schultz/Apache%20RoadShow%20DC%202019/Locking
> -Down%20Apache%20Tomcat_outline.pdf

s/Default credentials/No default credentials/

Some Tomcat directories (logs, work) need to be writeable by the Tomcat
user.

Add the Manager app to the sharp edges. App deployment == RCE.

App is biggest risk.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quick review of outline for Tomcat security presentation?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

Thanks for the review.

On 2/11/19 15:24, Mark Thomas wrote:
> On 11/02/2019 19:53, Christopher Schultz wrote:
>> https://people.apache.org/~schultz/Apache%20RoadShow%20DC%202019/Lock
ing
>>
>>
>>
- -Down%20Apache%20Tomcat_outline.pdf
>
> s/Default credentials/No default credentials/

That will be the point of this part: Tomcat has *zero* default
credentials. I'm happy to re-name that part of the outline, but of
course the content won't really change.

> Some Tomcat directories (logs, work) need to be writeable by the
> Tomcat user.

Ack

> Add the Manager app to the sharp edges. App deployment == RCE.

Ack

> App is biggest risk.

Thanks. That's what this presentation is going to point out, and give
some tips for things Tomcat can do to help the application like
CORS/CSRF. These are not well-understood things in app-dev land, and
they need to be.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxh8ioACgkQHPApP6U8
pFhcaBAAnneRcFRfpETvi3bOXfDOhsEySxAgm//74tgxnWbqWiGK+Md66U84Q1i5
jSJpnwt2/vI0sR9hdxeX3LD1CQtLkVe1cmQTML+KLAz0FTYFQsUlf7OmrMtPlJ7I
c25T7bWOKfCS7NB+QP1moB6gv9WI9yIRregMSNP09eEJJu1MttM03DaM+mdOjpcM
D366hrTyjQFtI2iCiNzj77y0TZDy7yBuYUHLOXAjZg+kbyhWX9sQSujEFxhPQkg+
Wi5D6kUoFbP2PIjkEhF8xL2VI3Fg1fSXQ/1EJFDJRYuflWLATuoIdzpTHLsF2Bbp
bNPViUo17KLKseVgMYZThXD01su1xFUHJTHz4MF0RxZlEPLFPeb6NvOM8r7fta65
JagxwfHQtQPYBuQIX3hqUi/pFzwbo4mWHw/K8YhnEguZFNDvrb/rr/8Ov04iEb+u
RaL591Zwkgfl1lEarovI1nkMtx9Ouf14Byz+HW/0F0796zV7Sx8t2BHvGW+bCH4o
oEQLS5/hGIMrtJbYE9BWrqCAD9XvGhRc5ZsGB380tYb4l2mTbYdrOCOlnsed7J4w
eqZq0TXYAHBAIh76nnMNcIjnBYmoY6+H3svKAK0/FRvj+nXz5GcxF5x8uxoD+fNS
DR2tLuXWRpvC9Oc2/T3KKOQduY7Ub4cjVOYBBjzsCj2dS9uS+uE=
=mr4J
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quick review of outline for Tomcat security presentation?

Tim Funk-2
In reply to this post by Christopher Schultz-2
Nice ...

Some possible adds ..
- Keep your java up to date (companion point to OS update)
- Link to OWASP (whole talk to itself)
- IP Filtering ... Consider a WAF
- IP Filtering ... Where possible - Block all outbound connections
- Maybe Lockout realm worth a quick mention?
- IIRC: Clustering has assumptions on the security of the network


-Tim

On Mon, Feb 11, 2019 at 2:53 PM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> New and improved! With a link to the outline!
>
> https://people.apache.org/~schultz/Apache%20RoadShow%20DC%202019/Locking
> - -Down%20Apache%20Tomcat_outline.pdf
>
>