[seam-dev] Re: Adding a security audit to the Seam QA (release) process

[Marc Schoenefeld]

Hi Pete,

that sounds like a good plan, let's schedule some initial planning for
next week, because this week I am quite busy with after-PTO workload
and SOA testing. How about next tuesday? BTW, which timezone are you
in,  maybe we can start with a phone chat?
 
The first things that come into my mind are JSF view state injection,
XSS in all different kinds, remoting misuse, insecure servlet mappings.
During this week I will catch with the current Seam codebase by
findbugs-ing through it, and maybe already stumble over the one or
other place to start poking into.

Cheers
Marc

Pete Muir wrote:
> Hi Marc,
>
> Something that we've been discussing is the idea creating a security
> audit checklist that will cover Seam and the ways it interacts with
> the outside world; initially, we want to focus on JSF, Seam Remoting
> (Ajax) and Servlet but we will also consider adding in WS including
> JAX-RS, Wicket, GWT and perhaps others, though these are what I can
> think off. This checklist would then be added to the Seam QA process
> (which is run through at release time).
>
> We were wondering if you would be able to work with us on this? My
> suggestion is, that as you (I hope ;-) have a good understanding of
> the general approaches that could be used to exploit a Seam that you
> would be to work with us both on an initial list of areas to focus on,
> and then help us develop the checklist.
>
> Let us know :)
>
> Pete


-- 
Marc Schoenefeld / Red Hat Security Response Team