Re: [WEB SECURITY] Tomcat Security

[Ryan Barnett <rcbarnett () gmail com>]

There is value in obfuscation just not at the expence of other
security measures.

Here is my analogy - Military Tanks.  

They are obfuscated against identification by color (tan for the
desert, etc...) and are made of armour to help protect against enemy
fire.  No one would be stupid enough to build/use a tank that is
camoflaged with the correct color scheme but is made of wood.  On the
flip side, no one is foolish enough to build a tank with the correct
armor and then color it in neon yellow!

Obfuscation has a purpose but only after you have completed other
hardening steps (patches, minimize unneeded services, etc...).

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

On 8/11/05, Nathan Tobik <nathan.tobik () vigilantminds com> wrote:
> Are you changing the banner information in Tomcat as part of your
> security process?  There was a discussion on this list a few months ago
> about the value of changing banners.  From what I remember there is
> almost no security value added by changing a banner.  I would work on
> making sure your application is secure and then it won't matter if an
> attacker knows you're running Java or not.
>
> Nate Tobik
> (412)661-5700 x206
> VigilantMinds
>
> <snip>...
>
> One of my unanswered questions is how to change the banner information
> in
> Tomcat.
> Any info would be greatly appreciated,
>
> Thks,
>
> Andy
>
> </snip>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/