Access control exploits, user credential exposures and related security compromises are becoming increasingly common in Web 2.0 world ! Most of these issues pertain to broken or insufficient authentication controls and flawed credential management that allows attackers to compromise vulnerable applications by stealing or manipulating credentials such as passwords, keys, session cookies and/or impersonating another user through forged or guessed credentials. Any such access control… Read more »
Web 2.0 applications are proliferating and it has become widely popular for delivering dynamic user-generated content, information collaboration, data mashups, social networking and Web services. Building security for Web 2.0 applications pose several daunting challenges to Web 2.0 developers as these applications are publicly accessible and it blindly opens door to several intentional/unintentional abuses and malicious practices including data interception and manipulation by… Read more »
One thing I noticed lately…is lot of interest about understanding the usage of ‘Obfuscated Transfer Object (OTO) ‘ from Core Security Patterns. I got multiple emails about its code and implementation .. understandably there is a growing security concern about using Transfer Object (aka Value Object) that passes security-sensitive data elements between Java EE tiers (especially between Presentation/Business/Persistence), when the… Read more »
Few weeks ago, US Dept. of Homeland security (National Cyber Security Division) in collaboration with SANS Institute/MITRE teams worked together and released a list of 25 dangerous programming errors as common security flaws, which opens doors for easy exploitation. My first look at this list, I thought it is a old wine in a new bottle as the document sounded… Read more »
It’s been so long, I had been involved with multiple Smartcard/PKI projects particularly supporting integration of Sun technologies for use with National eID, US Federal (HSPD-12 / PIV cards) and DoD CAC projects. There is no secret sauce, but unfortunately I did’nt find time to put together a trustworthy documentation addressing the technical aspects of using Smartcard based PKI credentials… Read more »
Last night, I had the opportunity to present at an OWASP event @Hartford, CT. James McGovern, a long-time buddy of mine organized this event at one of the Hartford skyscrappers – What a great view ! I had contributed code artifacts to OWASP projects before, but it was the first time I had a chance to attend an OWASP event…. Read more »
Not a shameless promotion – I came to know from multiple feedback and praises from the people who took the Sun Certified Enterprise Architect exam. Core Security patterns is overwhelmingly suggested as a reference text for “Section 8 – Security” of Sun Certified Enterprise Architect for Java EE5 exam. Section 8: Security Explain the client-side security model for the Java SE environment,… Read more »
I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production. Now, getting down to the specifics – Putting it… Read more »
I had my chance to play with JavaFX and its samples. Wow ! unbelievably cool stuff and JavaFX raises the bar for other RIA API tools. In my experience, JavaFX eats AJAX and other RIA scrApting tools for lunch ! JavaFX offers an easy to understand declarative API for building RIA applications that can include Media, Graphics, XML Web Services… Read more »
A picture is worth a thousand words. This picture is intended for a friend of mine (a doubting Thomas), who did’nt believe my latest work on enabling a multi-factor authentication based “Web SSO” that uses on-card credentials (PIN + PKI + Biometrics) using PIV card. This solution is currently tested to run Sun OpenSSO Enterprise 8 (running on Glassfish v2),… Read more »