Thursday Oct 16, 2008

Security Awareness Requirement for Web Application Developers

“Secure web application development has become imperative due to the new PCI-DSS mandate. Companies who choose to adopt the form of training offered by SCIPP will benefit from a trustworthy yet cost-effective security awareness program.”

~Howard A. Schmidt, former CISO for Microsoft and ebay, SCIPP Advisory Board Member

A free webinar on "Security Awareness Requirement for Web Application Developers"

WHEN: Wednesday, October 22, 2008

TIME: 1:30pm - 2:00pm EST

TOPIC: "PCI-DSS ALERT: Complying with the NEW Mandatory Security Awareness Requirement for Web Application Developers"

PRESENTER: Dow Williamson, CISSP, Executive Director.

CHANNEL: IT Certification and Training


How Important is Security ?

Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion

The security Breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company.

NY Bank ‘loses’ 4.5M unencrypted customer records
In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations. According to the bank, the tapes "included shareowner and plan participant account information, such as name, mailing address, social security number, and transaction activity."

Save the Date attend the webinar on the 10th of October 2008 @ 1:30 PM EST.

Sunday Oct 12, 2008

XACML - Declarative Access Control

Web applications need access control. I'm not gonna justify that fact. All web applications have the ability where you can restrict access to the resources that reside on it by simply modifying the deployment descriptors (web.xml). This method is called declarative security or declarative access control. Well, but does this really suffice ?

Well, say hello to XACML. XACML stands for eXtensible Access Control Markup Language.

It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.

If you had followed what Daniel Raskins had said from a long time ago, about supporting XACML, well, here it is. OpenSSO now has XACML support.
Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk.

The OpenSSO codebase also has a XACML client sample which you could download, compile and run in a few clicks.

Please Note: This is NOT sunxacml. sunxacml is implementation of XACML 2.0 specifications from sun labs. This does not have support for SAML2.0 profile of XACML 2.0 and is not part of OpenSSO.

OpenSSO XACML implements SAML2.0 Profile of XACML2.0 - supporting XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement. PEP makes XAML2.0/SAML2.0/SOAP request to PDP and gets response. The OpenSSO XACML client sample is a remote client library that could be used by an application to make XACML calls to PDP.

The returned XACMLAuthzDecisionStatement has XACML Response, Result, Decision and so forth. The OpenSSO XACML implementation leverages SAML2.0 capability of OpenSSO to manage SAML2 metadata of PDP and PEP and exchange SAML messages.

Here's a simple 5 step guide to running the XACML client and testing it with opensso.

  • get the, extract and get the under samples directory

  • extract the, and goto "sdk" subdirectory

  • follow the README file to setup the samples

  • follow the instruction in scripts/ to setup the XACML.

I hope this post has been helpful. Cheers and enjoy building applications that use XACML !! interoperability rocks!!

Saturday Oct 11, 2008

What is Identity Management?

Explore how Sun can help you manage, audit, protect, share, and store identity data.

Click here to watch the webcast

Thursday Jan 17, 2008

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...

Identity Nightmares

REMINDER : Here's a good example of how identity theft can give you nightmares.
In the early 1990's, someone ran amok, using Mr. Lorenzo's identity. It was used to rack up tens of thousands of dollars in fraudulent credit card debt. It was given to the police after various traffic violations. And a man even used the name Raymond Lorenzo when he was arrested and indicted in 1991 in Suffolk County, N.Y., for, among other things, burglary, forgery and criminal possession of a weapon.
PS: Identity Management needs to be given importance. More importance than anything else.

Enterprise Identity - my 2.0 cents

After James McGovern, kicked off the discussions around Identity Federation, Pat's response was quite a detail. Johannes Ernst, Shekar Jha, Tom Gordon, Radovan Semančík & Mark Dixon and a lot more chimed in with their perspectives, and I thought that my 2.0 cents on the subject was worth posting.
Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them).
Well, I believe that all bloggers who speak on identity management are very well aware of SOX and it's likes. Why in this day and age do we believe that compliance is not critical. I think that it would be foolish to believe that identity bloggers ignore SOX.
SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?
I'd like to re-iterate Pats' comment once again here : You use the appropriate tool for the job. Where there is a tried and true approach then use it. What more could I add to it ??
Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML?
There was a time period where the entire industry was thinking in terms of consolidating the disparate authentication systems into one huge repository for authentication data. Well, it was not a easy task. Consolidation has it's own pro's and cons. I guess I'm missing out on something here. Consolidation between user identities that are owned by 2 seperate organizations ?? Aint federation the topic of discussion here ? OR is James referring to a "passport" structure ?
If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?
I believe that there was more than just a "look at me" kind of a demo done by Gartner sometime ago. But hey ! I believe that this would be a great opportunity for me to utilize my resources and contacts to put together a real live network of federated systems that use various dispare systems like sxip, netmesh, shibboleth, Sun Federation Manager and throw a live federated infrastructure out there.
How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.
I'm surprised that James mentioned MS and forgot all about JavaCards. Mary Has one too ;-)
How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?
C'Mon James, You didnt need Pat to tell you about trackback spam. Guess we all have a long way to go. But hey !! here's a thought. While we all think in terms of authenticating user identities, we forget that authenticating devices (device identities) is as critical as user identities. IP address and MAC addresses can be spoofed easily. But by embedding a unique security key in a device (something that cannot be spoofed) we could embark on authenticating and authorizing a device prior to letting the device on any network. I liked it when in the good old days, an IP address was granted to a device AFTER the fact that authN was succesful. In todays world regardless of authentication; a device is granted an IP and is placed onto a network. Well, we've made the life of a unauthorized person a lot more easier by letting him in. If we could authenticate and authorize devices prior to granting IP addresses or placing devices on a trusted subnet by using some form of secure key identifier, we'd be closer to being in a more secure environment. I have done some work on this forefront; but poor me, I'm not a sales guy and am having a hard time selling the thought. maybe someday

OpenSSO - where are we headed ?

With this announcement, the Sun Java Access Manager (version 7.0) and it's product updates & enhancements would soon be available as part of the openSSO project. I am all excited and thrilled about this move even though several folks think otherwise. With the freely available source code, one could not only gain an indepth understanding of the workflow and logistics that power sun products, but also gain an edge over other developers who have been trying hard to develop their own single sign on products, JOSSO being one of them.
The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. Targeted towards the web tier, this project provides the foundation for achieving seamless integration of diverse web applications that typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers. This project is based on the code base of Sun Java(tm) System Access Manager product, a core identity infrastructure product offered by Sun Microsystems. The intended audience for this project are intermediate to advanced skill level developers and IT managers who want to use this project to achieve intranet and/or extranet single sign on for their hosted web applications.
I further see and emphasise that openSSO and JOSSO would complement each other extensively. JOSSO uses JBoss as it's core container, whereas openSSO uses Sun Application Server (which is also on it's way of being Open Source'd) as it's core.
The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application servers. This implementation will offer the following core identity services:
  • Authentication
  • Session
  • Logging
Apart from the above mentioned services, the Open Web SSO project will also provide a platform for creating and integrating custom services where necessary.
Here's an opportunity for all those developers out there to maximize on the opportunity !! so GO FOR IT. & all those startups who plan to develop SSO & Access Management / Security products, here's your chance to INNOVATE. My take is that, you could start off from THIS codebase rather than from scratch. You could INNOVATE further rather than REPLICATE. AFter all it's all about INNOVATION. UPDATED : (on the same subject) Earl Perkins, an analyst with market research company Gartner, was quoted saying :
Today's identity and access management market is dominated by Computer Associates' Netegrity SiteMinder and RSA Security's ClearTrust. Other strong players' products include IBM's Tivoli Access Manager, Oracle's Oblix COREid, Entrust's GetAccess, Novell's iChain and Bull Evidian's Secure Access Manager. Large vendors have been scrambling over each other to buy up identity management technologies, with RSA and Entrust the only two players still standing while CA and other have gobbled up their peers. Open sourcing its ID and access management software is a clever move by Sun since it comes at a time when the technologies are beginning to become commoditised.

Tuesday Jan 15, 2008

Federated Security: The Shibboleth Approach


The open-source Shibboleth System extends Web-based applications and identity management for secure access to resources among multiple organizations

The Shibboleth System includes two major software components: the Shibboleth Identity Provider (IdP) and the Shibboleth Service Provider (SP). These two components are deployed separately but work together to provide secure access to Web-based resources. A step-by-step description of the Shibboleth sign-on process follows. While the details may vary based on deployment choices, the steps below are typical. The players include the user, who wants to use a protected Web resource; the resource provider Web site, which has installed the Shibboleth SP software; and the user's home organization, which has installed the Shibboleth IdP software.

  • The user navigates to the Web resource using her browser. The resource site is protected, hence requires information about the user in order to decide whether access is permitted.
  • The Shibboleth SP software redirects the browser to a "navigation" page (called a WAYF, for "where are you from"), which presents the user with a list of the organizations whose users may access the resource.
  • The user selects her home organization, and the browser is sent to the home organization's Web site running the Shibboleth IdP software. This site uses a Web sign-on method chosen by the home organization. The user now sees the familiar login Web page of her home organization, enters her username and password, and selects the Login button.
  • The Shibboleth IdP software sends the browser back to the original resource site and includes in the message some security information called an "assertion" that proves the user signed on. The Shibboleth SP software on the resource site validates the assertion and then requests additional information (attributes, such as "faculty" or "student in Film327") about the user by making a request to the home organization's Shibboleth IdP service.
  • The Shibboleth SP receives the user's attributes from the home organization's IdP and passes them along to the resource provider's Web application. The application uses those attributes and its access policy to decide whether the user's access is permitted or denied, displaying the appropriate page to the user's browser.
Often, many of these steps can be skipped. The WAYF can set a cookie in the user's browser so that the user doesn't see that page the next time through. If the home organization's Web authentication service uses single sign-on and the user already has a session with it, the login page won't be seen. In many cases the user can get access to the resource without seeing any intermediate Web pages at all. The process above resembles other Web sign-on schemes. In the rest of this section we present the features that distinguish the Shibboleth System.
Please Read the Complete Publication at

In the beginning there were GROUPS... and along came ROLES

Guess the one question I would continually be posed with whenever I interact with folks involved in Identity Management, is the usage of groups vs roles and the best practices for choosing one or the other. Well, hopefully the folks who keep searching for answers on this stumble on this blog and not ask me this over and over...

SO explanation: Once upon a time GROUPS was a convenient way to aggregate users. GROUPS were used to simplify the process of managing access permissions and generic attributes with a subset of users. To make management simpler, GROUPS could be made a subset of another GROUP and thus inherit permissions etc from it's parent. The ability to make GROUPS a subset of another facilitated a hierarchical structure. GROUPS is a simple aggregate.

and then.. along came ROLES.

So: A ROLE is a special type of GROUP. the properties of ROLES and GROUPS are extremely similar. But when GROUPS are used to OBJECT permissions, ROLES are used for APPLICATION permissions. ROLES provide a scemantic grouping of policies/permissions with a common subject which pertains to the users role(noun) - capacity, function, position, duty in an organization. A ROLE can enable one to associate policies with an automated component (ie: application). A ROLE is thus a SPECIAL GROUp where all the policies/permissions have the same subject.

Roles and further be categorized as FLAT ROLES, DYNAMIC ROLES etc... Flat ROLES are exactly the same as GROUPS in usage and behaviour.

Someday soon, when i get a moment to spare a thought again I shall try to blog on ROLES and their flavors in more detail.. Cheers for now.

Saturday Nov 04, 2006

XAMPP - LAMP in a box

With the infocard buzz going around..., and the possible opensourcing of it's components and code that enable users to easily deploy infocard, I thought that it would be nice if there could be more folks from the community who could actually try it out from a "deployment" perspective rather than from a "user's" to better understand how the whole thing works. But unlike me, not everybody has access to servers, and other necessary resources to deploy such a solution. I thought of making it easier for those who do not have servers but just a desktop and/or a laptop to install a webserver (ie: Apache), php, perl, sendmail, mysql DB, a FTP server (ie: filezilla), a mail server (ie: mercurymail), webdav, a mysql DB administrator (ie: phpmyadmin), a weblog analyzer (ie: webalizer), OpenSSL, etc.. at the click of a button.. No, No, I didnt develop anything new, but am pointing you to something that exists out there that would enable you to do ALL OF THE ABOVE. introducing: XAAMP from Apache Friends.
The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on. The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment : please don't use XAMPP in such environment. Since LAMPP 0.9.5 you can make your XAMPP installation secure by calling »/opt/lampp/lampp security« XAMPP for Linux The distribution for Linux systems (tested for SuSE, RedHat, Mandrake and Debian) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, gdbm, zlib, expat, Sablotron, libxml, Ming, Webalizer, pdf class, ncurses, mod_perl, FreeTDS, gettext, mcrypt, mhash, eAccelerator, SQLite and IMAP C-Client. XAMPP for Windows The distribution for Windows 98, NT, 2000 and XP. This version contains: Apache, MySQL, PHP & PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, JpGraph, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB DAV & mod_auth_mysql. XAMPP for Mac OS X The distribution for Mac OS X contains: Apache, MySQL, PHP & PEAR, SQLite, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, zlib, Ming, Webalizer, mod_perl, eAccelerator, phpSQLiteAdmin. WARNING: This version of XAMPPis still in the first steps of development. Use at you own risk! XAMPP for Solaris The distribution for Solaris (developed and tested with Solaris 8, tested with Solaris 9) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, Freetype2, libjpeg, libpng, zlib, expat, Ming, Webalizer, pdf class. WARNING: This version of XAMPP is still in the first steps of development. Use at you own risk! XAMPP is free of charge We don't like overpriced commercial software and XAMPP is our attempt to do something that shows free software doesn't have to be bad. Easy installation and deinstallation To install XAMPP you only need to download and extract XAMPP, that's all. There are no changes to the Windows registry (not true if you use the Windows installer version of XAMPP ) and it's not necessary to edit any configuration files. It couldn't be easier! To check that XAMPP is working some sample programs are included, there is a small CD collection program (written in PHP using MySQL) and a small guest book software (written in Perl) and several other demonstration utilities. If you decide that XAMPP isn't needed any more just delete the XAMPP directory and it's completely removed from your system. If you use the Windows installer version of XAMPP it's recommended to use the uninstall feature. As every installer do the installer will make registry entries to remember the install. The license XAMPP is a compilation of free software (comparable to a Linux distribution), it's free of charge and it's free to copy under the terms of the GNU General Public License. But it is only the compilation of XAMPP that is published under GPL. Please check every single license of the contained products to get an overview of what is, and what isn't, allowed. In the case of commercial use please take a look at the product licenses (especially MySQL), from the XAMPP point of view commercial use is also free.
Happy LAMP... oops... XAMPPing.

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]


« April 2014