Enabling LDAP Security for DataGrid Cache

Expanding on Tristan’s blog, where he spoke of enabling security for JBoss Data Grid caches, in this post we will cover how to add LDAP based security to the JDG caches. The principles and techniques remain defined by Tristan, but there are some minor changes that I will be highlighting in this blog for a successful working configuration of JDG enabled with LDAP security.

Continue reading “Enabling LDAP Security for DataGrid Cache”


Diagnosing Function Pointer Security Flaws with a GCC plugin

A few months ago, I had to write some internal GCC passes to perform static analysis on the GNU C Library (glibc). I figured I might as well write them as plugins since they were unlikely to see the light of day outside of my little sandbox. Being a long time GCC contributor, but having no experience writing plugins I thought it’d be a good way to eat our own dog food, and perhaps write about my experience.

Continue reading “Diagnosing Function Pointer Security Flaws with a GCC plugin”


Wearable Tech: A Developer’s Security Nightmare

Web developers and IT professionals are the foundations of any quality business’ data security.

However, with technology constantly changing and evolving as well as becoming more consumer-friendly, this data’s vulnerability only increases and it can often be hard to even notice how this new technology can actually affect your company until it occurs. Despite this, ignorance to modern hacking techniques does not refute their inability to transform even the smallest of devices into a weapon with which to infect or intrude upon data and the effects of this on a company can mean massive destruction in the infrastructure and beyond.

One of the newest data security threats posed to the IoT, in particular, is the rise of the wearable technology industry. With companies like FitBit and Google developing glasses, fitness trackers, and watches that make everyday life a little bit easier, it may seem as if the wearable tech industry is nothing more than a fun and exciting way to incorporate technology into the average consumer’s life, however, this is not entirely the case.

Continue reading “Wearable Tech: A Developer’s Security Nightmare”


Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 2

Part 2 of 2

In part one of this blog post, we mentioned a pain point in Container based environments. We introduced SCAP as a means to measure compliance in computer systems and introduced ManageIQ as a means of automating Cloud & Container based workflows.

Continue reading “Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 2”


What is mobile security? What is the mobile security ecosystem?

I was recently introduced to a published draft by the National Institute of Standards and Technology (NIST) from the U.S. Department of Commerce which talks about assessing the threats to mobile devices & infrastructure. The document discusses the Mobile Threat Catalogue which describes, identifies and structures the threats posed to mobile information systems.   This blog summarizes the 50-page document with added context and commentary based on my experience in the mobile industry helping organizations building mobile apps.

More than ever before in today’s connected world, the security and protection of our information has the highest priority. Recent Distributed Denial of Service (DDoS) attacks that brought down the internet were generated with the unauthorized use of the Internet of Things (IoT) devices, proving yet again that security breaches can be crippling. The use of mobile devices continues to grow globally and most organizations now have mobile apps that access mission critical information.   It is then important to have a broader view of the entire mobile security ecosystem and understand everything that involves mobile security. As they say, “information is the most powerful weapon”  – in this case to protect our mobile solutions.

The NIST document outlines a catalog of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security solutions to better protect enterprise information technology (IT). Smartphones and tablets running modern mobile operating systems are the primary targets in this analysis, not IoT devices.

Mobile devices contain integrated hardware components to support a variety of I/O mechanisms and while some of the communication mechanisms are wireless (i.e., cellular, WiFi, Bluetooth, GPS, NFC), they also include physical connectors (i.e., power and synchronization cable, SD cards, SIM cards, etc.). Wireless and wired device communication mechanisms expose the mobile device to a distinct set of threats and must be secured or the overall security of the device or app may be compromised.  [1]

What do we secure?

Since mobile devices can store a lot of data, personal and enterprise data becomes a target, from sensitive information like home address, telephone number, medical information and credit card numbers to authentication information (users & passwords).   Protecting data also means protecting identity as identity theft can be used to gain unauthorized access to information that can then be compromised or stolen.

Mobile Security Ecosystem

Here the Mobile Security Ecosystem relates to general threat categories that need to be reviewed and understood.

Threats to mobile apps can be classified in 2 groups:

  1. Software vulnerabilities to exploit data residing within the mobile app running on the mobile operating system, and
  2. Malicious or privacy-invasive apps that identify malware based threats to damage your device and/or mobile service.

There are different types of authentication mechanisms for mobile apps; authentication access to devices, to remote services, to remote networks, and to enterprise systems. Vulnerabilities in the mobile apps represent a very high risk of compromising sensitive personal or enterprise data. In summary,  mobile app security is about data protection in the mobile app itself.  

Checklist for Securing Mobile Applications

While building mobile apps, the architecture, and design of the app becomes a critical first step for security,  decisions need to be made and best practices need to be followed.  

Here’s a checklist of considerations for the architecture design.

  • Data transfer encryption
  • Data-at-Rest encryption
  • Store on device and/or store on the cloud
  • Data input validation
  • Use of tokens or keys
  • Hashing and salting passwords
  • Authentication and corporate Identity Management Integration
  • Security policies with an Enterprise Mobility Management system (EMM)
  • Need for VPN connectivity
  • Backend integrations (legacy, web services, RESTful APIs, etc.), use only the data you need, do not transfer everything
  • Secure storage in the cloud and on-premise
  • Files permissions
  • Log files and auditing information
  • Plan for penetration tests
  • Government or regulatory compliance
  • Choice of Mobile Application Development Platform features

More information about mobile app development security best practices by major players in the space:

Enterprise Mobility Management

EMM systems are a common way of managing employee mobile devices in an enterprise. They include a combination of mobile device management (MDM) and mobile application management (MAM) functionality. MDM focuses securing and monitoring mobile devices, while MAM focuses on app distribution and controlling user access to apps. The key feature for EMM systems is to deliver mobile policies, such as only allowing a whitelisted set of applications to run, remote data wipe, ensuring a lock screen and disabling certain device peripherals (e.g., camera).  Different vendors offer different sets of policies, it is important to compare and review differences.  These are implemented via SDKs developers have to use while building apps or by a “wrapper” mechanism on built mobile app binaries.

Other sources of vulnerabilities in the mobile ecosystem

Mobile Operating Systems

Vulnerabilities found at mobile operating systems level which are typically addressed by the platform vendors in a form of patch or new release (Android, iOS, Windows). An example of vulnerabilities is Android 2.3 Gingerbread which is no longer supported by Google and has been considered one of the mobile operating system versions with the most malware attacks.

Device Drivers

Plugins provide access to device hardware and other peripheral device functionality that is ordinarily unavailable to web-based apps (i.e.. camera, geolocation, device motion, accelerometer, vibration, battery status).  Apache Cordova plugins are an example of mobile apps using device functionality and a potential security risk, especially when developers create their own plugins or identify a vulnerability on Cordova. Just like the mobile operating systems, Cordova, and similar products report and address security issue, for example, a critical issue identify on Apache Cordova for Android 4.0.2 and 3.7.2 releases.

SD Cards

SD cards are removable memory used to expand the storage capacity of mobile devices to store data such as photos, videos, music, and application data. Similar other media devices in the Laptop/Desktop world,  SD cards can be source of malware and spyware.

SIM Card

This removable hardware is a chip housing the International mobile subscriber identity (IMSI) needed to obtain access to cellular networks, pre-shared cryptographic keys,  the phone number and even contact information.  Every mobile device has a SIM card (3G & 4G) making it the most widely used security token in the world,  still hackers can send properly signed binary SMS (text messages), which downloads Java applets onto the SIM that can access phone number and identity information.  Use of modern SIM cards with the latest cryptography an SMS firewall for selection of binary SMS to trust are recommended to secure SIM Cards.

Mobile carrier infrastructure and interoperability

This relates to the Mobile Operator and includes threats to the base stations, network backhaul, cellular network cores and signaling threats associated with the widely used Signaling System No. 7 (SS7) networks in the mobile networks.  With 4 Generation (4G) mobile networks the move from proprietary networks and protocols to IP-based networks brought a lot of changes, many of the positive from the operation side, but at the same time brought new security risks never seen by Mobile Operators.    There is not much either a mobile app developer or an organization can do at the network infrastructure level to tackle such vulnerabilities, but it is important to be aware of the risks at infrastructure and interoperability level.

There are many more details, a lot more things to learn with regards to mobile app security, an understanding of the ecosystem and the security threats is a good first step to take on building your secured mobile solutions.

[1] http://csrc.nist.gov/publications/drafts/nistir-8144/nistir8144_draft.pdf

Understanding OpenShift Security Context Constraints

OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. Security context constraints allow administrators to control permissions for pods using the CLI.

SCCs allow an administrator to control the following:

  1. Running of privileged containers.
  2. Capabilities a container can request to be added.
  3. Use of host directories as volumes.
  4. The SELinux context of the container.
  5. The user ID.
  6. The use of host namespaces and networking.
  7. Allocating an ‘FSGroup’ that owns the pod’s volumes
  8. Configuring allowable supplemental groups
  9. Requiring the use of a read only root file system
  10. Controlling the usage of volume types
  11. Configuring allowable seccomp profiles

Continue reading “Understanding OpenShift Security Context Constraints”