WebApp Sec mailing list archives
Re: [WEB SECURITY] Tomcat Security
From: Ryan Barnett <rcbarnett () gmail com>
Date: Thu, 11 Aug 2005 12:18:41 -0400
There is value in obfuscation just not at the expence of other security measures. Here is my analogy - Military Tanks. They are obfuscated against identification by color (tan for the desert, etc...) and are made of armour to help protect against enemy fire. No one would be stupid enough to build/use a tank that is camoflaged with the correct color scheme but is made of wood. On the flip side, no one is foolish enough to build a tank with the correct armor and then color it in neon yellow! Obfuscation has a purpose but only after you have completed other hardening steps (patches, minimize unneeded services, etc...). -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC On 8/11/05, Nathan Tobik <nathan.tobik () vigilantminds com> wrote:
Are you changing the banner information in Tomcat as part of your security process? There was a discussion on this list a few months ago about the value of changing banners. From what I remember there is almost no security value added by changing a banner. I would work on making sure your application is secure and then it won't matter if an attacker knows you're running Java or not. Nate Tobik (412)661-5700 x206 VigilantMinds <snip>... One of my unanswered questions is how to change the banner information in Tomcat. Any info would be greatly appreciated, Thks, Andy </snip> --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
Current thread:
- RE: [WEB SECURITY] Tomcat Security Nathan Tobik (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ryan Barnett (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ron Forrester (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Cyrill Brunschwiler (Aug 14)
- <Possible follow-ups>
- RE: [WEB SECURITY] Tomcat Security Jason Radley (Aug 11)