Google Site Search


Thursday, November 1, 2007

JBoss EAP will undergo CCE

Not sure if you have already seen the press release that went out. If not, take a look at my official blog entry:

Red Hat Expands Security Leadership by Seeking Common Criteria Certification for JBoss and MetaMatrix Solutions

Your excellency will be leading this effort.


TF said...

On the JBoss blog you write "At JBoss, we take security pretty seriously". Pardon me, but I had a hard time so far to raise the level of concioussnes at JBoss for that thing called security.

I'd guess most JBoss productive systems are vulnerable because of misconfiguration and you probably know it. Still JBoss/RedHat does nothing to better the situation.

If I address the issues with JBosssians all I get is the "there is a security chapter in the documentation" answer.

Guys, that might backfire big time some time.

Imagine my surprise when I read you are going after CCE.

Anil Saldanha said...

There can never be reasonable defaults for a software product to ship with. You may secure your product by having a finite set of security tuples (example, userid/pwd) such that the downloaded product can not be insecure by default.

Hence there is a need for a separate configuration step to secure your JBoss instance before you put it in production.

I am really sorry to hear that you have not received good response whenever you have raised a security issue. All I can say is that you got filtered down by security averse JBossians.

Another thing is the id of "tf" does not tell me anything about who you are. Send me an email and we can take it from there.