Google Site Search


Thursday, November 25, 2010

Response: Glassfish versus JBoss Community Patches

Please refer to my earlier blog post:  Community JBoss AS versus JBoss EAP  (April 2010) for further information.

Ok, I had to respond to a blog post titled "Glassfish vs JBoss Community Patches" because there was liberal usage of the following words : security, pci and patches.

Chris Mahns is responding to Rich Sharples blog post but brought in the terms "security" and "pci". This has prompted me to respond.

Let me tell you a story.  A friend of mine runs a non-profit public forum using Joomla/PHP etc. One day, he gave me a call to tell me that his site has been serving malware and if I knew of any easy means of preventing that in the future.  I told him that I would look into it.  He came back to me in less than a week to tell me that attackers had utilized the fact that he had not updated the latest patches for Joomla. My friend had missed one patch and his users were all served malware. (It can happen to credible web sites such as the New York Times. Read Here).

Thinking further, I realized that it is getting extremely critical for general users to stay on top of the patch process because someone has to triage security vulnerabilities, coordinate across components, collate patches, write patch reports, maintain relationship with organizations such as Mitre/NIST (CVE and NVD) etc which the general public cannot really do.

I strongly stress (whenever asked) by users that they should adopt OSS that is delievered by JBoss or Apache or any organization with a strong strong "Security Response Team".  For JBoss (Red Hat), we utilize the Red Hat Security Response Team which does an amazing job of triaging, generating patches and erratas for customers. They have relationship with software foundations such as ASF and also with the reporting agencies (Mitre/NIST etc).

Now as an user, if you are interested in "Security" and "PCI" compliance, then YOU SHOULD NOT be using the community version of the JBoss Application Server but using a Enterprise Platform from Red Hat such as EAP or the SOA-P because the components are not only stable but tightly monitored by the security response team.  The team releases frequent patches based on the criticality.

I will tell you from experience that it is not easy to stay on top of security vulnerabilities and patches if there are multiple open source projects involved.  A typical middleware server such as JBoss Application Server contains a large number of OSS projects (developed on JBoss community and other places such as the Apache Software Foundation).

Coming back to community version of JBoss, when we identify vulnerabilities, we typically fix and release as part of the next iteration of the community AS.  I even have a wiki article on JBoss community about this.  Look at Security Vulnerabilities Notification to Community.

We CANNOT spend resources on patching JBoss AS 4.0.1 or releasing a patch for AS 3.2.3, whenever a vulnerability is identified in a component such as Tomcat. Please for heavens sake, you chose cutting edge innovation and wanted the latest and greatest.  If yes, then you should be moving forward with the latest community version of JBoss AS. Adopt JBoss AS6 CR release as they happen. Once AS6 comes out, get on it right away.

As users, you make conscious choices whether you want flexibility, cost savings, reliability and security. If you want to be on the latest and greatest,  cutting edge stuff then adopt the JBoss Application Server (Community Version).  If you are going to run banking software or financial software or defense establishment using JBoss middleware,  then PLEASE adopt EAP or other Red Hat middleware products. You save yourself and us a lot of trouble.

Please refer to my blog post where in I notify the community of vulnerabilities existing in JBoss community projects. It is not like we totally ignore the community (that has made us powerful).

Also refer to my 2008 blog post where I assert that we take security seriously at JBoss.

I spend a portion of my time talking to security evaluators who are currently evaluating JBoss EAP 5.1 for common criteria at EAL4+.  We certified JBoss EAP 4.3 at EAL2+.  The CCE is a very intense exercise that can be daunting at times because the evaluators look at the entire laundry and pinpoint which of them is dirty and needs to be washed.

To summarize, if you are worried about security, PCI compliance, FIPS, Common Criteria and any other security certification/jargon etc, then please adopt a middleware platform from JBoss. You should not be fiddling with a community middleware stack.

My development environment is on Fedora Linux.  When I need the latest patches, bug fixes, I update to the next version of Fedora rather than just cry over not having patches over an older version of Fedora.  This is a choice I made.  If I needed stability, I would probably develop on RHEL.

And I would like to wish my US colleagues/friends at Oracle /Glassfish, a very Happy Thanksgiving. "May the break and family time raise your morale". Lets say Amen to that.


No comments: