[seam-dev] Re: Adding a security audit to the Seam QA (release) process

Jay Balunas tech4j at gmail.com
Mon Oct 6 09:31:58 EDT 2008 

I am available all day Tuesday so what ever time is fine.

Thanks for your help Marc.

-Jay

On Mon, Oct 6, 2008 at 6:55 AM, Pete Muir <pmuir at redhat.com> wrote:

> Marc,
>
> Sounds great. I'm in the UK, so GMT+1 atm. Christian, will you join us to
> discuss?
>
> Best,
>
>
> On 6 Oct 2008, at 11:13, Marc Schoenefeld wrote:
>
>  Hi Pete,
>>
>> that sounds like a good plan, let's schedule some initial planning for
>> next week, because this week I am quite busy with after-PTO workload
>> and SOA testing. How about next tuesday? BTW, which timezone are you
>> in,  maybe we can start with a phone chat?
>>
>> The first things that come into my mind are JSF view state injection,
>> XSS in all different kinds, remoting misuse, insecure servlet mappings.
>> During this week I will catch with the current Seam codebase by
>> findbugs-ing through it, and maybe already stumble over the one or
>> other place to start poking into.
>>
>> Cheers
>> Marc
>>
>> Pete Muir wrote:
>>
>>> Hi Marc,
>>>
>>> Something that we've been discussing is the idea creating a security
>>> audit checklist that will cover Seam and the ways it interacts with
>>> the outside world; initially, we want to focus on JSF, Seam Remoting
>>> (Ajax) and Servlet but we will also consider adding in WS including
>>> JAX-RS, Wicket, GWT and perhaps others, though these are what I can
>>> think off. This checklist would then be added to the Seam QA process
>>> (which is run through at release time).
>>>
>>> We were wondering if you would be able to work with us on this? My
>>> suggestion is, that as you (I hope ;-) have a good understanding of
>>> the general approaches that could be used to exploit a Seam that you
>>> would be to work with us both on an initial list of areas to focus on,
>>> and then help us develop the checklist.
>>>
>>> Let us know :)
>>>
>>> Pete
>>>
>>
>>
>> --
>> Marc Schoenefeld / Red Hat Security Response Team
>>
>>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>



-- 
blog: http://in.relation.to/Bloggers/Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20081006/6b1f6638/attachment.html

More information about the seam-dev mailing list