Virtual event focussed on Tomcat Security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Virtual event focussed on Tomcat Security

markt
Hi all,

We (the Tomcat community) have some funding from Google to help us
improve Tomcat security. Our original plan was to use the funding to
support an in-person security focussed hackathon. As you would expect,
those plans are on hold for now. We would, therefore, like to explore
the possibility of doing something virtually.

The purpose of this email is to gather input from the community about
what such an event should look like. With that input we can put together
a plan for the event. So, over to you. What would your ideal virtual
event focussed on Tomcat Security look like?

Thanks,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Virtual event focussed on Tomcat Security

jonmcalexander
I really like the idea of this. Something similar to the ApacheCon, or a series of ZOOM meetings or such.


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Tuesday, September 29, 2020 6:26 AM
To: Tomcat Users List <[hidden email]>
Subject: Virtual event focussed on Tomcat Security

Hi all,

We (the Tomcat community) have some funding from Google to help us improve Tomcat security. Our original plan was to use the funding to support an in-person security focussed hackathon. As you would expect, those plans are on hold for now. We would, therefore, like to explore the possibility of doing something virtually.

The purpose of this email is to gather input from the community about what such an event should look like. With that input we can put together a plan for the event. So, over to you. What would your ideal virtual event focussed on Tomcat Security look like?

Thanks,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

Maarten van Hulsentop
In reply to this post by markt
Hi Mark,

This sounds like a great idea to me. Security is a very important topic,
and the maturity of the Tomcat makes it a very secure choice for users. I
am sure a lot of people will be interested to join in.

What is not completely clear to me on this event; would this event be
focussed on improving the security of Tomcat from within (as a Hackathon
suggests)? Like trying to find security flaws/improvements and get them
fixed.
or is this meant to be an educational event where information is shared
about secure setups/hardening of the Tomcat in production systems? Or a
little of both?

For the educational/hardening aspect, it could be nice to team up
with/involve OWASP?

I am surely interested to pitch in on this topic!

Kind regards,

Maarten van Hulsentop

Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <[hidden email]>:

> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put together
> a plan for the event. So, over to you. What would your ideal virtual
> event focussed on Tomcat Security look like?
>
> Thanks,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

RE: Virtual event focussed on Tomcat Security

Mysore, Raghunath
Greetings, Folks
This plan about Tomcat security is very nice. We look forward to the meetings.
Could we have a session related to " Best practices for using  Tomcat +  (Apache Web Server) Forward Proxy (FP) combo in a real production environment "  where an application hosted in Tomcat (web) container, targets a  destination system in the internet, through the FP ?
The application communicates with the destination system on a TLS channel. The FP is placed in a perimeter zone.   The role of FP is to route the intranet traffic to the destination system in internet.  
If it is desired to have TLS terminated on the FP, and a SSL (or TLS)  intercept is being sought - what is the best way to accomplish this interception  (so that the application's communication reaches the destination system smoothly) ?
The TLS intercept portion  intends to decrypt the TLS transactions, check for security compliance  and then re-encrypt to push the traffic to the destination system.
Is there any generalized document that makes assessment (and recommendations) of a Tomcat plus a Forward Proxy combo, in a real word set up ?

Thanks,
   -Raghu

-----Original Message-----
From: Maarten van Hulsentop <[hidden email]>
Sent: Wednesday, September 30, 2020 3:10 AM
To: Tomcat Users List <[hidden email]>
Subject: Re: Virtual event focussed on Tomcat Security

Hi Mark,

This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in.

What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed.
or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both?

For the educational/hardening aspect, it could be nice to team up with/involve OWASP?

I am surely interested to pitch in on this topic!

Kind regards,

Maarten van Hulsentop

Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <[hidden email]>:

> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put
> together a plan for the event. So, over to you. What would your ideal
> virtual event focussed on Tomcat Security look like?
>
> Thanks,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

Christopher Schultz-2
Raghu,

On 9/30/20 10:35, Mysore, Raghunath wrote:
> This plan about Tomcat security is very nice. We look forward to the meetings.
>
> Could we have a session related to " Best practices for using  Tomcat
> +  (Apache Web Server) Forward Proxy (FP) combo in a real production
> environment "  where an application hosted in Tomcat (web) container,
> targets a  destination system in the internet, through the FP ?
There are some presentations already on our "presentations" page that
might address some of your questions. Is there something specific that
is missing?

http://tomcat.apache.org/presentations.html

> The application communicates with the destination system on a TLS
> channel. The FP is placed in a perimeter zone.   The role of FP is to
> route the intranet traffic to the destination system in internet.

This sounds like a fairly specific use-case. Are you looking for help in
building such a system, or some suggestions for making sure that it's
secure, high-performance, etc.?

> Is there any generalized document that makes assessment (and
> recommendations) of a Tomcat plus a Forward Proxy combo, in a real
> word set up ?
No, but it would probably be an interesting subject for a presentation.
Maybe you could work with others in the community to develop such a
presentation and in fact present it at an upcoming conference!

-chris

> -----Original Message-----
> From: Maarten van Hulsentop <[hidden email]>
> Sent: Wednesday, September 30, 2020 3:10 AM
> To: Tomcat Users List <[hidden email]>
> Subject: Re: Virtual event focussed on Tomcat Security
>
> Hi Mark,
>
> This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in.
>
> What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed.
> or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both?
>
> For the educational/hardening aspect, it could be nice to team up with/involve OWASP?
>
> I am surely interested to pitch in on this topic!
>
> Kind regards,
>
> Maarten van Hulsentop
>
> Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <[hidden email]>:
>
>> Hi all,
>>
>> We (the Tomcat community) have some funding from Google to help us
>> improve Tomcat security. Our original plan was to use the funding to
>> support an in-person security focussed hackathon. As you would expect,
>> those plans are on hold for now. We would, therefore, like to explore
>> the possibility of doing something virtually.
>>
>> The purpose of this email is to gather input from the community about
>> what such an event should look like. With that input we can put
>> together a plan for the event. So, over to you. What would your ideal
>> virtual event focussed on Tomcat Security look like?
>>
>> Thanks,
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

Luis Rodríguez Fernández
Hello there,

Sounds good!

For the authentication of our tomcat applications we rely on a SSO solution
(keycloak) using standards like SAML and OpenIDConnect. Maybe a session
about this can fit in the event. I would be interested in what other folks
are doing in this field.

Thanks,

Luis







El jue., 1 oct. 2020 a las 17:19, Christopher Schultz (<
[hidden email]>) escribió:

> Raghu,
>
> On 9/30/20 10:35, Mysore, Raghunath wrote:
> > This plan about Tomcat security is very nice. We look forward to the
> meetings.
> >
> > Could we have a session related to " Best practices for using  Tomcat
> > +  (Apache Web Server) Forward Proxy (FP) combo in a real production
> > environment "  where an application hosted in Tomcat (web) container,
> > targets a  destination system in the internet, through the FP ?
> There are some presentations already on our "presentations" page that
> might address some of your questions. Is there something specific that
> is missing?
>
> http://tomcat.apache.org/presentations.html
>
> > The application communicates with the destination system on a TLS
> > channel. The FP is placed in a perimeter zone.   The role of FP is to
> > route the intranet traffic to the destination system in internet.
>
> This sounds like a fairly specific use-case. Are you looking for help in
> building such a system, or some suggestions for making sure that it's
> secure, high-performance, etc.?
>
> > Is there any generalized document that makes assessment (and
> > recommendations) of a Tomcat plus a Forward Proxy combo, in a real
> > word set up ?
> No, but it would probably be an interesting subject for a presentation.
> Maybe you could work with others in the community to develop such a
> presentation and in fact present it at an upcoming conference!
>
> -chris
>
> > -----Original Message-----
> > From: Maarten van Hulsentop <[hidden email]>
> > Sent: Wednesday, September 30, 2020 3:10 AM
> > To: Tomcat Users List <[hidden email]>
> > Subject: Re: Virtual event focussed on Tomcat Security
> >
> > Hi Mark,
> >
> > This sounds like a great idea to me. Security is a very important topic,
> and the maturity of the Tomcat makes it a very secure choice for users. I
> am sure a lot of people will be interested to join in.
> >
> > What is not completely clear to me on this event; would this event be
> focussed on improving the security of Tomcat from within (as a Hackathon
> suggests)? Like trying to find security flaws/improvements and get them
> fixed.
> > or is this meant to be an educational event where information is shared
> about secure setups/hardening of the Tomcat in production systems? Or a
> little of both?
> >
> > For the educational/hardening aspect, it could be nice to team up
> with/involve OWASP?
> >
> > I am surely interested to pitch in on this topic!
> >
> > Kind regards,
> >
> > Maarten van Hulsentop
> >
> > Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <[hidden email]>:
> >
> >> Hi all,
> >>
> >> We (the Tomcat community) have some funding from Google to help us
> >> improve Tomcat security. Our original plan was to use the funding to
> >> support an in-person security focussed hackathon. As you would expect,
> >> those plans are on hold for now. We would, therefore, like to explore
> >> the possibility of doing something virtually.
> >>
> >> The purpose of this email is to gather input from the community about
> >> what such an event should look like. With that input we can put
> >> together a plan for the event. So, over to you. What would your ideal
> >> virtual event focussed on Tomcat Security look like?
> >>
> >> Thanks,
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

markt
In reply to this post by markt
On 29/09/2020 12:25, Mark Thomas wrote:

> Hi all,
>
> We (the Tomcat community) have some funding from Google to help us
> improve Tomcat security. Our original plan was to use the funding to
> support an in-person security focussed hackathon. As you would expect,
> those plans are on hold for now. We would, therefore, like to explore
> the possibility of doing something virtually.
>
> The purpose of this email is to gather input from the community about
> what such an event should look like. With that input we can put together
> a plan for the event. So, over to you. What would your ideal virtual
> event focussed on Tomcat Security look like?

Summarising the suggestions so far:
- application security / OWASP
- making HTTP requests *from* Tomcat
 - SSO / SAML / OpenIDConnect

The first two are more application security focussed and would not have
to be Tomcat specific.

The third is more likely to Tomcat specific depending on the extent to
which the SSO mechanism ties into Tomcat's internals.

All the suggestions so far have been for conference like presentations
(if I am reading them correctly).

Other possibilities:
- hackathon to implement (with support from committers) new security
  features (no idea what these might be - suggestions welcome)

- hackathon to run $tool_of_choice against Tomcat code base, review the
  results and fix (with committer support) those that need fixing.
  Suggestions as to tools to use welcome*

Anything else you'd like to suggest that is related to Tomcat and security.

There hasn't been any thought given to timing yet.

Mark



* I'll note that over the years most if not all of the major static
analysis tools have been run against the Tomcat code base and the
results have been very heavy on the false positives. Most of the work is
likely to be separating the few useful results from a lot of noise.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

Robert Hicks
On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <[hidden email]> wrote:

> On 29/09/2020 12:25, Mark Thomas wrote:
> > Hi all,
> >
> > We (the Tomcat community) have some funding from Google to help us
> > improve Tomcat security. Our original plan was to use the funding to
> > support an in-person security focussed hackathon. As you would expect,
> > those plans are on hold for now. We would, therefore, like to explore
> > the possibility of doing something virtually.
> >
> > The purpose of this email is to gather input from the community about
> > what such an event should look like. With that input we can put together
> > a plan for the event. So, over to you. What would your ideal virtual
> > event focussed on Tomcat Security look like?
>
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
>  - SSO / SAML / OpenIDConnect
>
> The first two are more application security focussed and would not have
> to be Tomcat specific.
>
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.
>
> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
>
> Other possibilities:
> - hackathon to implement (with support from committers) new security
>   features (no idea what these might be - suggestions welcome)
>
> - hackathon to run $tool_of_choice against Tomcat code base, review the
>   results and fix (with committer support) those that need fixing.
>   Suggestions as to tools to use welcome*
>
> Anything else you'd like to suggest that is related to Tomcat and security.
>
> There hasn't been any thought given to timing yet.
>
> Mark
>
>
>
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.
>
>
Has a "when" been decided yet?

Thanks,

Bob
Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

Christopher Schultz-2
In reply to this post by markt
Mark,

On 10/15/20 14:01, Mark Thomas wrote:

> On 29/09/2020 12:25, Mark Thomas wrote:
>> Hi all,
>>
>> We (the Tomcat community) have some funding from Google to help us
>> improve Tomcat security. Our original plan was to use the funding to
>> support an in-person security focussed hackathon. As you would expect,
>> those plans are on hold for now. We would, therefore, like to explore
>> the possibility of doing something virtually.
>>
>> The purpose of this email is to gather input from the community about
>> what such an event should look like. With that input we can put together
>> a plan for the event. So, over to you. What would your ideal virtual
>> event focussed on Tomcat Security look like?
>
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
>  - SSO / SAML / OpenIDConnect
>
> The first two are more application security focused and would not have
> to be Tomcat specific.
>
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.

I've built incoming single-legged SAML SSO into my own application
without any external libraries, so I could led a group to work on this
kind of thing.

> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
>
> Other possibilities:
> - hackathon to implement (with support from committers) new security
>   features (no idea what these might be - suggestions welcome)
>
> - hackathon to run $tool_of_choice against Tomcat code base, review the
>   results and fix (with committer support) those that need fixing.
>   Suggestions as to tools to use welcome*
>
> Anything else you'd like to suggest that is related to Tomcat and security.
>
> There hasn't been any thought given to timing yet.
>
> Mark
>
>
>
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.

+1

It's worth running new tools against Tomcat and then having many eyes
look at the list to determine false-positives.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Virtual event focussed on Tomcat Security

markt
In reply to this post by Robert Hicks


On 16/10/2020 14:21, Robert Hicks wrote:

> On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas <[hidden email]> wrote:
>
>> On 29/09/2020 12:25, Mark Thomas wrote:
>>> Hi all,
>>>
>>> We (the Tomcat community) have some funding from Google to help us
>>> improve Tomcat security. Our original plan was to use the funding to
>>> support an in-person security focussed hackathon. As you would expect,
>>> those plans are on hold for now. We would, therefore, like to explore
>>> the possibility of doing something virtually.
>>>
>>> The purpose of this email is to gather input from the community about
>>> what such an event should look like. With that input we can put together
>>> a plan for the event. So, over to you. What would your ideal virtual
>>> event focussed on Tomcat Security look like?
>>
>> Summarising the suggestions so far:
>> - application security / OWASP
>> - making HTTP requests *from* Tomcat
>>  - SSO / SAML / OpenIDConnect
>>
>> The first two are more application security focussed and would not have
>> to be Tomcat specific.
>>
>> The third is more likely to Tomcat specific depending on the extent to
>> which the SSO mechanism ties into Tomcat's internals.
>>
>> All the suggestions so far have been for conference like presentations
>> (if I am reading them correctly).
>>
>> Other possibilities:
>> - hackathon to implement (with support from committers) new security
>>   features (no idea what these might be - suggestions welcome)
>>
>> - hackathon to run $tool_of_choice against Tomcat code base, review the
>>   results and fix (with committer support) those that need fixing.
>>   Suggestions as to tools to use welcome*
>>
>> Anything else you'd like to suggest that is related to Tomcat and security.
>>
>> There hasn't been any thought given to timing yet.
>>
>> Mark
>>
>>
>>
>> * I'll note that over the years most if not all of the major static
>> analysis tools have been run against the Tomcat code base and the
>> results have been very heavy on the false positives. Most of the work is
>> likely to be separating the few useful results from a lot of noise.
>>
>>
> Has a "when" been decided yet?

No. We need to talk to the ASF conferences team to see when the hopin
platform will be available.

Mark


>
> Thanks,
>
> Bob
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]