security

In the microservices landscape, the API provides an essential form of communication between components. To allow secure communication between microservices components, as well as third-party applications, it's important to be able to consume API keys and other sensitive data in a manner that doesn't place the data at risk. Secret objects are specifically designed to hold sensitive information, and OpenShift makes exposing this information to the applications that need it easy. In this post, I'll demonstrate securely consuming API keys...

Red Hat, Inc. recently released the Red Hat SSO product, which is an enterprise application designed to provide federated authentication for web and mobile applications. In the SAML world, RH SSO is known as an Identity Provider (IdP), meaning its role in life is to authenticate and authorize users for use in a federated identity management system. For example, it can be used to authenticate internal users against a corporate LDAP instance such that they can then access the corporate...

Recently, I was searching for a solution to configure the security domain of Red Hat JBoss Enterprise Application Platform with the local operating system based user registry so that the application could directly authenticate its users with local operating system users. I understood that it would be difficult to implement a generic solution, as authentication mechanisms are strikingly different between Windows and Unix/Linux. After checking several blogs and forums, I decided to implement this using JPAM for Unix/Linux and Waffle...

The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems. I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally...

This is the second installment in a series about using Red Hat Identity Management (IdM) on Red Hat Enterprise Linux and Fedora (using the upstream FreeIPA project). As described in part 1 , IdM makes it very easy to build an enterprise-grade identity management solution, including a full enterprise PKI solution providing complete x509 certificate life cycle management. Most organizations start with a simple self-signed Certificate Authority (CA) certificate, perhaps generated using OpenSSL ; with a little configuration and a...

Over the last few weeks reports of crypto-ransomware have been circulated on the Internet and in the Press. While public details are sparse and victims are hesitant to share details, Red Hat is aware that older, un-patched versions of JBoss have been linked to several cases. The main flaw seen used has been CVE-2010-0738 . Unsecured consoles appear to have been the main culprit of allowing attackers into internal networks using the JexBoss testing tool. Red Hat JBoss Enterprise Application...

San Francisco, California, USA June 26-29, 2016. As part of the DevNation 2016 launch and abstract selection teams, I'm pleased to share this news and invite you to submit your talk to DevNation 2016! HOW IT WORKS You submit a session (or sessions!) you'd like to present at the 2016 DevNation by January 11, 2016. Subject matter experts review each submitted abstract and give a numerical vote (1-5). Selection committees review the highest-rated sessions and build the agenda. You receive...

When securing applications and services there are a lot of challenges you will encounter. Most of these are applicable to you both if you are developing new applications or if you already have existing security solutions in place. Challenges you'll encounter include: Keeping user passwords safe Single-Sign On/Out Multi-factor authentication Social logins Mobile devices Public APIs Managing users, permissions and sessions Integrating with existing infrastructure such as LDAP server Integrating with partners solutions In this session we'll talk about how...

Dan Walsh wrote this great article for opensource.com . I've recently learned from Dan that SELinux and containers are excellent complements to each other - kind of like tea and scones, peanut butter and jelly, Laurel and Hardy. (Which one of these did you need to google?) As container applications become finer grained, SELinux becomes really easy to use (for both dev and ops) for securing containers. Here's an excerpt from Dan's article - click through to read the whole...

Letting the containers out of containment I have written a lot about *Containing the Containers*, e.g. * Are Docker containers really secure? * and * Bringing new security features to Docker *. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let's talk about removing all the security! Safely? Packaging Model I envision a world where lots of software gets shipped in image format. In other words...

This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed. Containers do not contain I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system. I have heard people say Docker containers are...

POODLE – An SSL 3.0 Vulnerability (CVE-2014-3566) Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. To mitigate this vulnerability, it is recommended that you explicitly disable SSL 3.0 in favor of TLS 1.1 or later in all affected packages. Read the whole article via Red...

"The recent few days have been hectic for everyone who works in the Linux/Unix world. Bash security flaws have rocked the globe leaving people confused, worried, or just frustrated. Now that the storm is over and patches are available for most operating systems, here are the answers to some of the common questions we’ve been asked:" Read the whole article - from the Red Hat security engineering team: Frequently Asked Questions about the Shellshock Bash flaws | Red Hat Security...

by Grant Murphy "The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha...

b y siddharth "The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source...

Who Goes There? Identity Management in Red Hat Enterprise Linux 7 Beta | Red Hat Enterprise Linux Blog . by Ellen Newlands, Red Hat.

Earlier this year we held an event called Red Hat Developer Exchange which is a one day conference for developers who leverage any of the Red Hat products. We had a great bunch of sessions but, one of the ones I did was about "Secure Development Practices." What does that mean, you might ask? Well, it means, what can I change about my methods and techniques to make it more likely that the development that takes place in my organization...

The day before Red Hat Summit in Boston, we hosted a Red Hat Developer Exchange day - a one day technical event which covered some great topics across four tracks: DevOps, Programming on OpenShift, Languages and Tools, and Get more out of Red Hat Tools. The feedback on these was consistently great, so we hope you find them useful too! Track: DevOps DevOps in the Enterprise Choosing the Right Cloud Platform for You Monitoring and Metering: Baking Operational Goodness into...

Dan Walsh writing a blog outside of DanWalsh.livejournal.com??? What is the world coming to? I was asked by Red Hat to start writing occasional articles for developers, so here it is. Writing SELinux Policy – A black art. I often find it comical that people think that writing SELinux policy is difficult. They imagine that the people doing it are GURU’s, The truth is, it is rather easy. Although, don’t tell my bosses that! There are some things that are...

I'm speaking as part of a panel on secure development practices for Red Hat Developer Exchange and the Red Hat Summit. I work on the Red Hat Product Security Team, a group whose purpose is to help Red Hat develop products as securely as possible. Quite often when people talk about software security it's an afterthought. You write your software, then you worry about security later. This can work sometimes, but it's also really expensive. Once you have a functioning...

RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure. What is an RPM? RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy installation, upgrading, and removal. Since...

A new video focused on the "Security Mentality" in the secure programming series has been released. Some interesting things are covered about how developers think about security and why they accidentally introduce security flaws into their systems. As a corollary to Bruce Schneier's law, Josh offers "Any developer can build an application so secure that he or she cannot exploit it." Please watch the videos for some ideas about cheating and about how to avoid the biases in your own...

Authorization and Authentication are both important aspects to secure development. Come check out our latest video in the secure development series and learn about often overlooked authorization events in your applications. The video also discusses Cross-Site Request Forgeries ( CSRF ), what they are and how to avoid them (e.g. OWASP CSRF Prevention Cheat Sheet ).

The next secure development video is out! Come check out a quick video on the impact of numeric errors during your development process. The video covers such problems as Integer Overflows , and Array Index Errors (like Bounds Checking and Index Checking ). You can also find more information about overflows and security in general at The Open Web Application Security Project ( OWASP ). Please leave us your feedback or suggestions for other secure development topics you would like...

Software Developers always know they are supposed to be paying attention to security when they program. However, developers also know that without regular reminders both of the things they know and new threats, secure development practices can suffer. As a result, you might find the new series of videos from the Red Hat Product Security Team useful. The first two videos cover that age old topic, “Input Validation” with the first video a bit of an intro and covering XSS...