[seam-dev] Re: Adding a security audit to the Seam QA (release) process

Pete Muir pmuir at redhat.com
Mon Oct 6 06:55:18 EDT 2008


Marc,

Sounds great. I'm in the UK, so GMT+1 atm. Christian, will you join us  
to discuss?

Best,

On 6 Oct 2008, at 11:13, Marc Schoenefeld wrote:

> Hi Pete,
>
> that sounds like a good plan, let's schedule some initial planning for
> next week, because this week I am quite busy with after-PTO workload
> and SOA testing. How about next tuesday? BTW, which timezone are you
> in,  maybe we can start with a phone chat?
>
> The first things that come into my mind are JSF view state injection,
> XSS in all different kinds, remoting misuse, insecure servlet  
> mappings.
> During this week I will catch with the current Seam codebase by
> findbugs-ing through it, and maybe already stumble over the one or
> other place to start poking into.
>
> Cheers
> Marc
>
> Pete Muir wrote:
>> Hi Marc,
>>
>> Something that we've been discussing is the idea creating a security
>> audit checklist that will cover Seam and the ways it interacts with
>> the outside world; initially, we want to focus on JSF, Seam Remoting
>> (Ajax) and Servlet but we will also consider adding in WS including
>> JAX-RS, Wicket, GWT and perhaps others, though these are what I can
>> think off. This checklist would then be added to the Seam QA process
>> (which is run through at release time).
>>
>> We were wondering if you would be able to work with us on this? My
>> suggestion is, that as you (I hope ;-) have a good understanding of
>> the general approaches that could be used to exploit a Seam that you
>> would be to work with us both on an initial list of areas to focus  
>> on,
>> and then help us develop the checklist.
>>
>> Let us know :)
>>
>> Pete
>
>
> -- 
> Marc Schoenefeld / Red Hat Security Response Team
>




More information about the seam-dev mailing list