JBoss EAP is Common Criteria Certified - EAL4+ (Highest Level Security Certification)

This morning, the press release has gone out to announce the certification of JBoss Enterprise Application Platform 5.1.0 and 5.1.1 at the highest level of evaluation in its category - EAL4+.

The press release is available at http://finance.yahoo.com/news/JBoss-Enterprise-Application-bw-1345517824.html?x=0

The CC Guide should be available soon at http://docs.redhat.com/docs/en-US/index.html

I am confident that security conscious customers will find this news refreshing.

OpenShift Express Paas always comes to my rescue

Most of us have been through this.  You have to put up a demo for a customer, a conference or just to show something to a person living far away. Now assuming the other person is not on the corporate network, you have to look for a server that is hosted in the public.  Forget getting a computer outside your corporate DMZ. You have to go through many hurdles.  All the corporate security stuff come into play. We cannot blame anybody for being so paranoid, given the state of the world. Everybody is getting hacked these days. Now, the irony is that the demos may be a representation of some tech that is not critical from security perspective but has value when displayed to a viewer. That is why it is called a DEMO.

You may say, there is Amazon EC2. Well, that's cool. I have used EC2 for some quick demos. But I have always had to stay on top of my toes because I would need to shut down the instances, once the job was done. The reason was that the credit card meter would be running (just like a long distance taxi meter).

A couple of years ago, I did write some simple web apps on Google App Engine. They are probably still running. Wow, Platform-as-a-service. You write apps and don't have to worry about dev-ops, cap-ex,op-ex etc. Certainly for simple apps, your credit card meter is not running.

The challenge with GAE was the restrictive API that you had to program against.  It was a pain to code to a whitelisted api.

Enter OpenShift, a PaaS from Red Hat.  I have been running many demos on it for months.  A cheatsheet I have is https://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift

Why do I like OpenShift Express Paas?

• It's free.
• It allows me to deploy standard Java EE web apps in minutes.
• I do not have to worry about server administration.
• I do not have to worry about checking if the web app is running.

I did put up another demo today for a key management app. Check it out here: http://symkey-anilsaldhana.rhcloud.com/keymg.jsp

What are you waiting for?  Give OpenShift PaaS a spin.

Java Identity JSR: A positive step

The latest JSR on Java Identity is a very positive step in fostering security in Java applications. Since the JSR targets Java SE (as well as Java EE), it will have a very beneficial impact on Java applications running within the VM. You do not require a Java EE application server to avail the Identity services. A presentation on the JSR, given by the spec lead, Ron Monzillo is available at https://oracleus.wingateweb.com/published/oracleus2011/sessions/25171/S25171_139221.pdf A complaint I often hear from Java developers is the lack of consistent, standard API/annotations that they can use for securing their applications. JSR 351 aims to provide the necessary API as well as annotations. This should have happened long ago, but at least now, there is a positive attempt in the direction. I fervently hope that all the framework developers pay attention to this JSR (and not fall prey to the NIH syndrome). With the proliferation of Identity standards and the lack of coherence among them, it has become very hard for application writers to grasp the concepts of security. They usually take the easy way out (a simple password based system). I wish the JSR committee all the success. I am planning to be on the committee. You are welcome to participate. The proposed reference implementation is going to under the Apache 2.0 license and the tck will be free of charge. [Slide 10]