Think about this: when you sleep at night, most of us lock the doors of our house. Why? We want to feel secure. Same phenomenon happens when we go out of town for a couple of days - we tell our neighbors to watch our house. Many a times, burglars just break open a window and get in or take something immediately. When that happens, you fix the window and continue to hope that your house is safe. Even when you install a security system to your house and pay some company a monthly fee, your house is not totally secure. Someone can still break in, pick something quickly and vanish before the authorities show up. What I am trying to drive is that - a totally secure system is a myth. The reasons are plenty - these so called systems are developed by humans who are prone to make mistakes - prone to overlook something. But we certainly can try to reach that goal of making a system as secure as possible. The system will become secure with the help of implementers, testers, users, maintainers, researchers and those who scream - "fire, fire"!!! JBoss is no different. We get better as usage and feedback increases.
This week, there was a news article "Open-source software a security risk, study claims" which basically generalized that Open Source Software is risky from security perspective. I will not go into a debate about the merits of this study or get into an argument over whether closed source products are more secure than the open source ones? You can read some debate here.
This report has been widely cited in the media. A postive thing about this report is that they have given top marks to JBoss on security and pulled us down on not having a separate email address for privately reporting security vulnerabilities. Ok, that was an issue with our html editing abilities that we had not posted it in the right places to look.
You can view the following pages to get the security vulnerability reporting information now. I hope everyone is happy: JBoss Security
I have also put the information on my project page here: JBoss Security and Identity Management
Have you found a Security Vulnerability in any of the JBoss Products/Projects?
If yes, then you can email either at (security AT jboss DOT com) or (security AT jboss DOT org) for a private handling of your vulnerability information. You can also use the Red Hat Security page to report the vulnerability here.
At JBoss, we take security very seriously. I try hard to keep up to speed with all the latest developments in the security field. I am a member of multiple technical committees at the W3C, Oasis and the JCP. We try to provide the latest cutting edge technology to the users while maintaining high security standards. I do interact with security experts in the industry and adopt best practices from discussions. As an example, I had a breakfast discussion with Johnathan Nightingale, Human Shield, Mozilla Software Foundation. During the discussion Johnathan described how Mozilla tries to adapt test cases on report of every vulnerability such that regressions can be detected with every release. There, I had a perfect best practice to be adopted into our process at JBoss. :) Jeremiah Grossman, during his presentation at CSI 2007 had told us that he would go to sleep at night (when he was the CSO at Yahoo and a early 20s kid) knowing fully that Yahoo would be hacked in the night from across the world. But he kept trying to beat the hackers out. All that experience made Yahoo strong as well as launched a platform for his new company, White Hat Security. Security is not easy. Security is not complete. We just have to get better at it. ;)
Howard Schmidt has cautioned to be wary with the usage of Open Source Software. I respect Howard mainly because he is the president of ISSA (where I am a member and I read his message on the ISSA Journal every month). Howard is also an invited board member at ENISA. He has tons of security experience and is a well respected visionary. He has made a general statement about open source software which may not be totally applicable to every OSS product.
Lets look at how US Federal Agencies are dealing with Open Source Software with information from the public domain:
1) GSA has placed huge bets on JBoss. Read it here.
2) NSA is using RHEL5 and has provided security guidance here. RHEL is based on Fedora.
3) Bill Vass of Sun Federal says:
Vass, president and chief operating officer at Sun Microsystems Federal Inc., also cited open-source software, a Sun specialty. “More agencies are standardizing on open source, he said. Small-business partners who understand the value of open source in addition to consolidation and virtualization are especially useful in government work, he said.
The march of the Open Source into the Federal Domain continues.
What else are we doing at JBoss to make everyone feel secure?
JBoss is undergoing Common Criteria Evaluation process to give its users the confidence needed that they are using a secure product that has undergone rigorous security evaluation.
I thank everyone for using JBoss. I also thank the author of the study for giving us top marks for being secure (and we have fixed the html pages to showcase an email address to report vulnerabilities).
If you are unhappy with JBoss Security and would like to devour me for dinner, then you can email me at Anil DOT Saldhana AT redhat DOT com.
Anil is the Chief Bottle Washer for Security at JBoss. He greatly appreciates the gesture from the community here.