Category Archives: Security

Hardware Assisted Security: Cryptographic Acceleration for SOA and Java EE applications

I’ve spent the last few days attending Oracle OpenWorld conference at San Francisco..it is my second OOW experience, so it is not a surprise to see the conference was fully packed with people, hundreds of sessions and demos – I did have an opportunity to attend few and also present two sessions focused on Security topics featuring “Hardware Assisted Security… Read more »

Java Cryptography on Intel Westmere

      3 Comments on Java Cryptography on Intel Westmere

When it comes to Java cryptography based application security –  Solaris has significant performance advantage over Linux and Windows on Intel Westmere processor equipped servers.  I am not debunking Linux performance on Intel but evidently Linux does not take advantage of Intel Westmere’s AES-NI instructions when the Java applications relies on Java cryptographic implementations  for performing AES encryption/decryption functions.  AES is one of the most popular symmetric-key encryption algorithm widely… Read more »

Using Hardware Security Module (HSM) for Oracle Transparent Data Encryption (TDE)

Hardware Security Module (HSM) plays a critical role in securing the storage of private keys and accelerating compute-intensive cryptographic processes associated with public-key encryption, symmetric-key(secret-key) encryption and digital signature applications. Using HSM in Oracle Transparent Data Encryption applications will ensure that the Key material stored on the card is protected and not exportable (never leaves the card) and all associated… Read more »

SAML Attribute Exchange for X.509 Authentication based Identity Federation

In a typical Single Sign-On (SSO)/Federation scenario using SAML, the Service Provider (SP) initiates the user authentication request using SAML AuthnRequest assertion with an Identity Provider (IDP). The IDP authenticates the principal and returns a SAML AuthnStatement assertion response confirming the user authentication. If the user is successfully authenticated, the SP is required to have the subject’s profile attributes of the authenticated… Read more »

Web SSO with One-time Passwords via Mobile SMS and Email

With increasing incidents of online frauds through username/password compromises and stolen/forged identity credentials – Strong authentication using multi-factor credentials is often considered as a  defensive solution for ensuring high-degree of identity assurance to accessing  Web applications. Adopting multi-factor credentials based authentication has also become a most common security requirement for enabling access control to critical online banking transactions and to safeguard online customer information  (Mandated by FFIEC… Read more »

Secure Java Coding Guidelines v3.0

      1 Comment on Secure Java Coding Guidelines v3.0

When it comes to application security,  Secure coding is the first line of defense….and it is very critical to follow the best practice patterns and avoid pitfalls to secure the application from known risks and vulnerabities. The Java Security team has just released the updated – “Secure Coding Guidelines for the Java Programming Language, Version 3.0” .  Certainly it included a newer set of… Read more »

Java EE 6: Web Application Security made simple !

Java EE 6 RI was released few weeks ago….I am bit late to have my first look 🙂  Without a doubt, the new Web container security enhancements are very compelling for any budding or experienced Java developer working on Web applications. The Java EE 6 has unveiled several new security features with ease of use and targetted for simplified Web… Read more »

Drone video feeds got eavesdropped ?

      No Comments on Drone video feeds got eavesdropped ?

Interesting news..I am not sure how far this story is true !  The Iraqi insurgents has used the SkyGrabber utility to eavesdrop the live video feeds from the US Drones…as reported by Wallstreet journal yesterday.  Quite interesting to note, the multi-million dollar unmanned aircraft did’nt use “Encrypted Communication” in first place. It’s time for them to deploy a tamper-proof encrypted… Read more »

Does your Performance Tests address Security ?

      2 Comments on Does your Performance Tests address Security ?

The untold reality is ….when your Web application on the DMZ hits the Internet… the colorful performance graphs/numbers does’nt mean anything !  Unless your performance guru in the lab captured the QoS requirements and realized it proactively and accounted its actual overheads associated with Security, Network bandwidth, High-availability and other mission-critical requirements.  Otherwise…performance is the nagging issue that every datacenter guy gnaws…. when an application… Read more »