Wednesday Dec 10, 2008

mod_privileges for Apache HTTPD

Special thanks to Matt Ingenthron for pointing out that mod_privileges has been integrated back in the Apache trunk (manual) recently. For more information check out NIQ's Soapbox posting on the subject.

Looks like I will have to find a new target (I am looking at you MySQL!) for my BluePrints. I have used the Apache with SMF privileges example in a few publications including Limiting Service Privileges in the Solaris 10 Operating System (2005) and Privilege Debugging in the Solaris 10 Operating System (2006). The content of these papers is still relevant in the general sense, but with the introduction of mod_security, some of this content will no longer be as useful for Apache. That said, lots of other services can and do benefit from the techniques described.

If you find yourself ever wanting to do something similar - converting your services to be privilege aware on Solaris 10, check out the Sun BluePrints article Privilege Bracketing in the Solaris 10 Operating System (2006). Also, check out the OpenSolaris Security Community project on Privilege Debugging as it can help you in finding out what privileges your programs and services need.

Until next time!


Technorati Tag:

Thursday Aug 07, 2008

So what's new?

Previously, I promised to do an update since it had been such a long time between postings. Well, wait no longer. Honestly, the last six months or so were fairly light on security work for me. I have continued to work with customers around the world helping them to apply Sun and partner technologies to their business challenges, but my team has continued to deliver on the Sun Systemic Security vision and we have recently started exploring adaptive security architectures. In fact, Joel was published and featured on the cover of the ISSA Journal for his article titled Adaptive Security and Security Architecture (an abridged version was also posted here). You can follow us on this journey at

So if not security, what have I been up to?

Before answering, when you hear the words "High Performance Computing" or HPC, what is the first picture that pops into your head? Does your mind drift immediately towards the hallowed halls of government and research laboratories? Do you think of Top 500 lists or of supercomputers named Ranger? Do you think about exploring the mysteries of weather patterns, "seeing" back into space and time or even keeping tabs on the behaviors of sub-atomic particles? If so, you are not alone, but that is certainly not all there is to HPC.

Today, there is no shortage of computing problems that today are being tackled using high performance computers, interconnects, storage and data visualization, but we need to widen our views, remove our blinders, and begin to see HPC as it exists everywhere.

  • structural analysis, computational fluid dynamics, crash and safety simulations
  • fraud analysis and detection, anti-money laundering, credit derivatives pricing and hedging
  • reservoir simulation and visualization, seismic processing
  • media rendering and transcoding
  • DNA sequencing, molecular modeling and bio-simulation

Customers employing these processes share common traits. They are all trying to drive better business results, more quickly and efficiently. They have huge data volumes and often short windows in which to derive actionable results. They are trying to reduce their time to market, speed up their ability to make key business decisions and thereby maximize their value to their customers and shareholders. Customers such as these are using IT as a strategic weapon.

Sound cool, right? I thought so! For the last six months or so, I have taken on an additional role of leading a global, virtual team across our Global Systems Engineering organization to focus on these "non-traditional" or "commercial" HPC environments. What is truly fascinating is that this is all just the tip of the iceburg. Wired Magazine noted recently that "The quest for knowledge used to begin with grand theories. Now it begins with massive amounts of data." While perhaps an oversimplification, the idea is dead on. We have collected massive amounts of data and more is collected every day. Just as often new ways are being developed to analyze this data. This is where HPC meets main street. Problems with HPC-like characteristics are all around us and only recently have we been given the (commodity) processing power, storage capacity and network bandwidth to employ HPC-like solutions more broadly from government to industry, from large corporations to small startups, from the data center to the home.

It has been a very cool ride and collectively the GSE HPC Tiger Team (as it is known) delivered remarkable results including millions of dollars in wins, training and education for thousands of people, and the capture of key requirements, use cases and design patterns. With this group solidly running on all cylinders, it is time for me to turn my focus back to security (although HPC will never be rid of me!). In the coming months, you will hear more about our work on adaptive security including some really interesting practical applications you can start trying today. Is that enough of a teaser?

Until next time, take care!


Wednesday Aug 06, 2008

2008 SIA Award: Sun Systemic Security

I was a little hesitant to write about this as I did not want it to come across as self-promotion, but in the end I felt that it was important for me to say something on behalf of my team. In July 2008, my team and I were awarded with one of the highest honors that Sun can bestow on its technical professionals - the Sun Innovation Award (formerly known as the Chairman's Award for Innovation) for our contributions to the Sun Systemic Security framework. Collectively, these achievements enabled Sun to improve its products to better comply with our customers' security policies and requirements, develop new architectures and best practices that solve key customer security challenges, and position Sun as an architectural and security thought leader across industry and government.

For those unfamiliar with this award, here is a brief summary:

Sun's Innovation Award recognizes those individuals and teams who have made a significant contribution to Sun through innovation. Innovation is a starting point for the Sun Strategy and is key to helping differentiate Sun and attract communities to Sun. Product, process, and project innovations have increased Sun's ability to grow, make money, build our communities, enlist champions, and accelerate our business. The purpose is to reinforce and recognize exceptional performance related to a key pillar of Sun's strategy and one of our key values: Innovation.
The award ceremony was on July 16, 2008 at the Sun Leadership Conferece held in San Jose, CA. The award was presented to the team by both Greg Papadopolous and Jonathan Schwartz.

Pictured (left to right): Greg Papadopoulos, Rafat Alvi, Bart Blanquart, Glenn Brunette, Joel Weise, and Jonathan Schwartz

I would like to publicly congratulate my team on winning this award and thank them for all of their hard work, focus, and dedication. Through all of the ups and downs, you never failed to deliver innovative and highly impactful work that has helped customers and partners around the world and teams across this fine company. I could not be more proud of you all. This is a team award and it belongs to each and every one of you, and while we have been able to accomplish quite a lot, I have no doubt there are greater things yet to come. Thank you! Now get back to work! :-)

On behalf of the team, I think that it is important to thank both Jim Baty and Hal Stern for their coaching, leadership, and unwavering support over the years. They have helped to build and sustain an environment where we all can be challenged, where innovation can flourish, and where we can make a difference for Sun and our customers. You have both been invaluable to our success - thank you!

Tuesday Oct 09, 2007

Sun SPARC Enterprise T5x20s: A Security Geeks Point of View

What an exciting day! Today, Sun has officially launches the Sun SPARC Enterprise T5120 and T5220 rack-mount systems along with the Sun Blade T6320 blade server, the first to be designed for the UltraSPARC T2 processor. From the point of view of a security geek, there is a lot to be happy about. The UltraSPARC T2 has support for eight (8) cryptographic processing units, each of which supports ten (10) different cryptographic algorithms and a hardware-based random number generator. Lawrence has done a fantastic job of talking about these capabilities and performance if you are interested. It is simply mind blowing.

So, what else is new? Well, we now have actual servers that can leverage the computing power of these chips. This means that companies can now begin to rethink about how they have deployed cryptography in their environments. In particular, it is now much more practical to deploy cryptographic services more widely across an enterprise environment due to the performance gains achieved by offloading the work to the cryptographic processing units. For example, why not ensure that all of your internal web, directory and mail services are fitted for encryption? (Hint: you should be doing this already, but now you can do it while not sacrificing the performance of your CPUs!) Net-net: strong security + excellent performance + eco-friendly is a win-win for everyone.

In addition to enabling the wider use of cryptographic services, I would also encourage any organization to consider how the performance and power benefits of these systems can be applied to their existing environments and workloads. In particular, when used in concert with Sun's Logical Domains (LDoms) technology, organizations can get the benefits of performance, virtualization and security together in one system. Did I mention that today we are also announcing version 1.0.1 of our LDoms technology? Honglin has all the details. Of particular interest to us security geeks is the support for minimized and hardened logical domains! Combine that with the security isolation capabilities of the LDoms hypervisor, a boat-load of crypto performance, and a rock-solid, security, and scalable operating system - you just can't go wrong.

Talk about "zero cost security"! Taken as a whole, you get all of the performance (did I mention the 64 threads?), power and virtualization benefits with security just baked into the design! What's not to like? At least from where this security geek is standing, the view is simply unbeatable. See it all for yourself!


Technorati Tag:

Saturday Feb 11, 2006

Sun shines at the RSA Security Conference

From the press release. For more information on Sun Systemic Security, check out this posting. If you are going to be attending, be sure to check out the Sun booth and look me up! I will be in and around the conference Monday through Thursday and will be at the customer luncheon (Tuesday), if you would like to chat a bit.

MENLO PARK, Calif. -- Feb. 8, 2006 --Sun Microsystems, Inc. (NASDAQ: SUNW) executives Scott McNealy,
chairman and CEO, will deliver keynote presentations on Feb. 14 at the RSA Conference.  At the RSA
Conference in San Jose, Calif., Scott McNealy's keynote presentation will address the need for a
systemic security approach to both protect and enable opportunities the network provides.

Scott McNealy's keynote presentation, "Tear Down the Walls -- Embrace Risk and Opportunity Through
Security", will take place Tuesday, Feb. 14 at 9:50 a.m. Pacific. The RSA Conference is being held
at the McEnery Convention Center in San Jose, Calif. from Feb. 13-17. Information about the 
conference can be found at

Additional Sun Activity at RSA Conference

Sun will host a customer luncheon with security experts Whitfield Diffie and Radia Perlman. Held
on Tuesday, Feb. 14, the lunch will provide an opportunity to learn more about Sun's systemic
approach to security. For more information and to register for the luncheon, please visit

In the Sun booth, number 515, visitors can view demonstrations and discuss Sun's integrated
technology solutions. In addition to McNealy's keynote, several Sun executives will be 
participating in presentations and panels at the RSA Conference, lending expertise on topics
such as identity management, cryptography, data management and cross platform security.
Additional Sun presentations at RSA Conference include:

Tuesday, February 14

    \* 10:35 a.m. Pacific - Whitfield Diffie, chief security officer
      The Cryptographers Panel
    \* 11:45 a.m. Pacific -- James Hughes, Sun fellow
      Storage Security -- Use of Encryption to Protect Data at Rest
    \* 2:00 p.m. Pacific - Yvonne Wilson, architect
      Implementing Federated Identity: What Products Do You Need?
    \* 3:25 p.m. Pacific - Rafat Alvi, senior architect, CTO Office
      Trusted SOA: An End-to-End Trustworthy Services-Oriented Architecture
    \* 4:30 p.m. Pacific -- Rags Srinivasan, CTO, Technology Evangelism
      Secure Cross-Talk Between Java and NET Platforms Using WS-Security 

Thursday, February 16

    \* 2:00 p.m. Pacific -- Michelle Dennedy, chief privacy officer
      The Policy of Identity: Privacy Rules
    \* 2:00 p.m. Pacific -- Nancy Hurley, director, Data Management Group Software
      Integration of Data Management ILM Systems
    \* 3:25 p.m. Pacific -- Radia Perlman, distinguished engineer
      The Information Protection Wars 

Friday, February 17

    \* 11:10 a.m. Pacific -- Hanumatha Neti, director, IT Security and Danny Smith, IT
      security specialist
      Security Metrics -- How Six Sigma is Helping Security in Large Enterprises 


This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.


« July 2016