Google Site Search


Friday, July 25, 2008

Jeremiah Grossman: Web Application Security Professionals Survey (July 2008)

Jeremiah Grossman: Results: Web Application Security Professionals Survey (July 2008)

This is an extremely important Survey for Web App Security.

JBoss is secure

We certainly strive to reach that goal.

Think about this: when you sleep at night, most of us lock the doors of our house. Why? We want to feel secure. Same phenomenon happens when we go out of town for a couple of days - we tell our neighbors to watch our house. Many a times, burglars just break open a window and get in or take something immediately. When that happens, you fix the window and continue to hope that your house is safe. Even when you install a security system to your house and pay some company a monthly fee, your house is not totally secure. Someone can still break in, pick something quickly and vanish before the authorities show up. What I am trying to drive is that - a totally secure system is a myth. The reasons are plenty - these so called systems are developed by humans who are prone to make mistakes - prone to overlook something. But we certainly can try to reach that goal of making a system as secure as possible. The system will become secure with the help of implementers, testers, users, maintainers, researchers and those who scream - "fire, fire"!!! JBoss is no different. We get better as usage and feedback increases.

This week, there was a news article "Open-source software a security risk, study claims" which basically generalized that Open Source Software is risky from security perspective. I will not go into a debate about the merits of this study or get into an argument over whether closed source products are more secure than the open source ones? You can read some debate here.

This report has been widely cited in the media. A postive thing about this report is that they have given top marks to JBoss on security and pulled us down on not having a separate email address for privately reporting security vulnerabilities. Ok, that was an issue with our html editing abilities that we had not posted it in the right places to look.

You can view the following pages to get the security vulnerability reporting information now. I hope everyone is happy: JBoss Security

I have also put the information on my project page here: JBoss Security and Identity Management

Have you found a Security Vulnerability in any of the JBoss Products/Projects?

If yes, then you can email either at (security AT jboss DOT com) or (security AT jboss DOT org) for a private handling of your vulnerability information. You can also use the Red Hat Security page to report the vulnerability here.

At JBoss, we take security very seriously. I try hard to keep up to speed with all the latest developments in the security field. I am a member of multiple technical committees at the W3C, Oasis and the JCP. We try to provide the latest cutting edge technology to the users while maintaining high security standards. I do interact with security experts in the industry and adopt best practices from discussions. As an example, I had a breakfast discussion with Johnathan Nightingale, Human Shield, Mozilla Software Foundation. During the discussion Johnathan described how Mozilla tries to adapt test cases on report of every vulnerability such that regressions can be detected with every release. There, I had a perfect best practice to be adopted into our process at JBoss. :) Jeremiah Grossman, during his presentation at CSI 2007 had told us that he would go to sleep at night (when he was the CSO at Yahoo and a early 20s kid) knowing fully that Yahoo would be hacked in the night from across the world. But he kept trying to beat the hackers out. All that experience made Yahoo strong as well as launched a platform for his new company, White Hat Security. Security is not easy. Security is not complete. We just have to get better at it. ;)

Howard Schmidt has cautioned to be wary with the usage of Open Source Software. I respect Howard mainly because he is the president of ISSA (where I am a member and I read his message on the ISSA Journal every month). Howard is also an invited board member at ENISA. He has tons of security experience and is a well respected visionary. He has made a general statement about open source software which may not be totally applicable to every OSS product.

Lets look at how US Federal Agencies are dealing with Open Source Software with information from the public domain:
1) GSA has placed huge bets on JBoss. Read it here.
2) NSA is using RHEL5 and has provided security guidance here. RHEL is based on Fedora.
3) Bill Vass of Sun Federal says:
Vass, president and chief operating officer at Sun Microsystems Federal Inc., also cited open-source software, a Sun specialty. “More agencies are standardizing on open source, he said. Small-business partners who understand the value of open source in addition to consolidation and virtualization are especially useful in government work, he said.

The march of the Open Source into the Federal Domain continues.

What else are we doing at JBoss to make everyone feel secure?

JBoss is undergoing Common Criteria Evaluation process to give its users the confidence needed that they are using a secure product that has undergone rigorous security evaluation.

I thank everyone for using JBoss. I also thank the author of the study for giving us top marks for being secure (and we have fixed the html pages to showcase an email address to report vulnerabilities).

Looking onward!

If you are unhappy with JBoss Security and would like to devour me for dinner, then you can email me at Anil DOT Saldhana AT redhat DOT com.

Anil is the Chief Bottle Washer for Security at JBoss. He greatly appreciates the gesture from the community here.

Friday, July 18, 2008

JBoss 4.2.3 released

Rajesh from JBossQA has released JBoss 4.2.3.GA.

JBoss Application Server 4.2.3.GA has been released and is available for download at

This is the 3rd bug fixing release of the JBoss Application Server v4.2 series. The aim of this release is to provide
fixes for bugs reported by the community against previous JBossAS v4.2.x releases. There were some backwards
compatible component upgrades so switching to AS 4.2.3.GA from a previous 4.2.0/4.2.1/4.2.2 release should not
present any problems. Please check out the Detailed Release Notes section for the full details.

A secondary target for this release was to improve support for Java 6. JBossAS 4.2.3.GA can be build with both JDK5
and JDK6. The JDK5 compiled binaries have undergone more rigorous testing, they constitute our certified version and
can run under both Java 5 & 6 VMs (with a few configuration changes for JDK6, see the configuration section below). The
JDK6 compiled binaries include support for the JDBC 4 APIs, but this should be considered experimental at this point.


This is an important release for the community who have been waiting for bug fixes in the 4.2.x
series. Enjoy!!!!

Tuesday, July 15, 2008

SSNs useful for authentication?

Brett A Scudder (on LinkedIn) basically referred to the following report on why SSNs are not appropriate for authentication....
Uses of Social Security Numbers in the Private Sector:Why SSNs Are Not Appropriate for Authentication

Multiple banks over the last few years have used SSNs as the userid for online banking. Some of these banks are prominent banks. But they have all migrated (or given an option to the user to choose a personal username). In my view, phishing attacks will aggravate the dangers, if SSNs continue to be used for authentication by those who have adopted it.

Friday, July 11, 2008

Sun's Open Source Directory Server - OpenDS is 1.0.0

Message from Ludo to the opends mailing list.


The OpenDS development team is very please to announce the release of OpenDS 1.0.0, the first stable release of the OpenDS project.

OpenDS 1.0.0 delivers a fully compliant LDAPv3 server (*) that passes all of the compliance, interoperability and security tests suites. Furthermore, OpenDS 1.0.0 implements most the standard and experimental LDAP extensions defined in the IETF as RFCs or Internet-Drafts, ensuring maximum interoperability with LDAP client applications.

With a limited footprint allowing the server to be embedded in other Java applications, OpenDS has a very rich set of APIs making it easy to extend and increase usage scope.

OpenDS also supports a multi-master replication model that guarantees the high availability of the data for all operations, searches or updates. While theorically unlimited with regards to the number of masters, the OpenDS 1.0.0 server has been stressed under heavy and durable load with 4 Masters.

OpenDS 1.0.0 also includes :
- A 6 steps graphical installation tool that allows to have a server configured, up and running in less than 3 minutes.
- A graphical status panel
- A rich command line tool to perform all online administrative tasks both interactively or scripted.
- Advance security and password policies
- Advance backup and restore capabilities.
- A DSML gateway servlet.
- A complete user documentation set.

Note that the defaults settings for the OpenDS server are targeted for the initial evaluator or developer, running on a machine with a limited amount of resources. So it is important to do initial tuning of the Java VM and the OpenDS server to scale.
The first recommendation is to use the latest version of the Java VM (as of today Java 6 update 6 aka 1.6.0_06).
Some recommendations for the Java VM settings have been published on the OpenDS Documentation Wiki . More specifically, in order to have constant performance, tuning the Garbage Collector is needed. We recommend the CMS GC or ParallelGC.
Finally, OpenDS does provide better performances when the database files are cached into memory. The initial size for the DB cache is 10% of the heap size and is definitely under sized. A good rule of thumb is to allocated a DB cache size about half of the heap size if the later is below or equal to 2 GB, and for heap size greater than 2 GB to allocate a DB cache size equal to the heap size minus 1GB.

While we are really happy with the first stable release of the OpenDS LDAP directory server, our roadmap includes many other features and some ambitious ones:
- Native packages for OpenSolaris and Linux.
- Transactions for LDAP
- Assured Replication which is a replication model where a changed is assured to be received on at least 2 masters before it get acknowledge to the client application.
- Access to the log of changes over LDAP in order to provide external synchronization services.
- Basic management GUI for the most common tasks.
- Confidentiality and Encryption negotiation through SASL
- Improved performances
For more up to date information about the OpenDS roadmap, please check the OpenDS wiki page for the Roadmap :

For the complete documentation of OpenDS 1.0.0, please go to

Support for OpenDS 1.0.0 will be soon available from Sun Microsystems.

(*) with the exception of a partial support of RFC 4518 - International String Preparation

Many thanks to the whole team behind OpenDS 1.0.0 : developers, quality engineers, technical writers, release engineers, users...


Ludovic Poitou Sun Microsystems Inc.
OpenDS Community Lead Directory Services Grenoble Engineering Center - France

Congratulations to the Sun team and the OpenDS community on this milestone.

Tuesday, July 1, 2008

Key Management - Oasis EKMI and IEEE P1619

InformationWeek has an article titled "Oasis' open Enterprise Key Management Infrastructure initiative promises less-complex encryption. But will vendors get on board?", written by David Brown.
Information security pros do put stock in encryption--it was named the third-most-effective security practice in our most recent Strategic Security Survey, behind only firewalls and antivirus products. However, there have been obstacles along the path to ubiquitous encryption of data, including weak ciphers, deployment and integration issues, and, perhaps most notably, key management.

It is very critical that the issue of key management is tackled with utmost importance. PKI/Asymmetric Encryption is all fun and good but they internally do latch on to symmetric encryption during a transport layer handshake such as SSL/TLS(with the generation of session key during the handshake). Symmetric encryption is here to stay in the industry.

It is very easy to do encryption with keys, but managing keys is NOT EASY.

EKMI is trying to secure security systems mainly at layer 7. If you secure data at any of the lower layers, you still expose your applications to breaches, because breaches can occur at higher layers.

NOTE: I am a secretary of the EKMI Technical Committee. I would very much liked to see a little more detail on EKMI efforts in the Information Week article rather than a bird's eye view.

Related Efforts:
IEEE P1619 is an effort by IEEE for encrypting stored data. The IEEE efforts work close to the network later. EKMI focuses at the layer 7. has a session on PKI and EKMI by Tomas Gustavsson, Co-Founder, PrimeKey Solutions AB

JBoss 5.0.0.CR1 out the door

The day is not very far when we will see the GA release of JBoss5. We have reached the first milestone - JBoss 5.0.0.CR1.

JBoss Application Server 5.0.0.CR1 has been released and is available for download from

Detailed Release Notes: