It’s been few years now, the IETF’s TLS 1.3 standardization effort always looked like a never-ending story. Glad to note the wait is over. After 28 drafts for review, last week IETF finally ratified TLS 1.3 as an approved standard. Indeed, TLS 1.3 promises significantly faster SSL/TLS performance and a much secure communication protocol standard ever before! It also brings a radical change… Read more »
Manually assessing security controls, host and application configuration, access control policies, software patch levels and creating on-demand compliance readiness reports has always been a daunting task, especially when it is critical to adhere standards and regulatory mandates. Not only those processes are very time consuming and they are also highly prone to human errors. It becomes even more complicated when… Read more »
Way cool ! HTTP Session Hijacking can’t be made simpler than using Firesheep. Couple of days ago, a friend of mine suggested me to login a most popular website and he demonstrated how he took control and accessed my user session in less than a minute. First, I thought he used a network protocol analyser tool such as Wireshark or… Read more »
In a typical Single Sign-On (SSO)/Federation scenario using SAML, the Service Provider (SP) initiates the user authentication request using SAML AuthnRequest assertion with an Identity Provider (IDP). The IDP authenticates the principal and returns a SAML AuthnStatement assertion response confirming the user authentication. If the user is successfully authenticated, the SP is required to have the subject’s profile attributes of the authenticated… Read more »
The untold reality is ….when your Web application on the DMZ hits the Internet… the colorful performance graphs/numbers does’nt mean anything ! Unless your performance guru in the lab captured the QoS requirements and realized it proactively and accounted its actual overheads associated with Security, Network bandwidth, High-availability and other mission-critical requirements. Otherwise…performance is the nagging issue that every datacenter guy gnaws…. when an application… Read more »
I admit that I am not a SOA expert or pretend to be one ! Lately, I had a chance to explore few security features intended for securing XML Web Services and Java EE applications. With my little knowledge to SOA, I found that XML Web services play a vital role in SOA to enable loosely-coupled services and ensuring interoperability. From a security perspective, the core foundation… Read more »
Last few weeks, I have been pulled into an interesting gig for demonstrating security for _____ SOA/XML Web Services and Java EE applications…. so I had a chance to play with some untold security features of Solaris 10. KSSL is one of the unsung yet powerful security features of Solaris 10. As the name identifies, KSSL is a Solaris Kernel Module that… Read more »
Just came across this interesting web site – NationalIDWatch.org a consumer protection web site by Liberty Coalition, which provides a registry of personalized data breach reports… that reports whether your personal identity information has been stolen or publicly exposed or not ! If your identity information is compromised, it indicates the size of exposure, sensitivity and how it is distributed and so… Read more »
FIPS-140* compliance has gained overwhelming attention these days and it has become a mandatory requirement for several security sensitive applications (mostly in Government and Security solutions and recently with select finance industry solutions and particularly for achieving compliance with regulatory mandates such as PCI DSS, FISMA, HIPPA, etc ). FIPS-140 also helps defining security requirements for supporting integration with cryptographic hardware and software tokens. Ensuring… Read more »
Just got this Dilbert comic strip from a friend of mine… pokes fun to highlight the importance of IT auditing and compliance reporting.