I'm allowing user supplied ruby code to run in server(java scripting), and since jruby doesn't support safe-levels as in ruby I'm thinking about using java's security manager.
Is this a good decision? Has anyone else implemented this? Are there any good articles/books/resources that introduce me to security manager?
This sounds like a perfectly reasonable decision.
The article Java Scripting and JRuby Examples demonstrates using JRuby with the SecurityManager, so at least one other person was able to successfully implement this configuration.
Related
We are looking at building smart contracts in Kotlin language, even though its not officially a supported language. The reasons are -
It compiles down to Java bytecode.. So from a JVM point of view, its no different to java
Its a very expressive language with a much better type system than java.
Its got first hand support for functional programming constructs.
So, the question I have is not about technical feasibility - coz I know its not a problem. The question is, does anyone see any other issues with this approach? Perhaps anything core to Hyperledger Fabric which might cause issues further down the line? Also, curious if anyone else has tried this before in a production set up? Thanks
I don't know if anyone has used it in production, and/or hit any problems using Kotlin, but there is a Kotlin example in the Java chaincode repository.
A cookbook is the fundamental unit of configuration and policy distribution. A cookbook defines a scenario and contains everything that is required to support that scenario.
- Can we use a fixed template in all the cookbooks which developed by all teams to add some security features to all systems?
- What would be some example for that?
Unfortunately your question is very vague but as Chef is, at heart, a programming framework, the is probably "yes, go write the code to do that thing you said". Security is not a single thing that can be added or subtracted to, and in general trying to share a single cookbook between multiple teams (in terms of ownership, not use) is probably going to be difficult in the same way as building any cross-team tool or library is. But no technical reason you can't so good luck :)
I need a cron-like tool that supports REST API. It should have all the features of cron + the ability to read (and maybe even write) new cron rules.
I've scoured the interwebs but found nothing mature. and yes, I realize that REST interface for cron could be a serious security issue.
minicron does not offer REST API at the moment
chronos is way too overblown for my purposes (its built on top of ZooKeeper and Mesos)
this rest-cron project is abandoned and only partially implemented.
fcron lacks what I need but is opensource and could maybe be extended, but its c code which would be a pain.
jobber is a go-based cron-like, which would be easier to modify.
Still I was hoping for an out of the box solution. Any ideas?
To manage my infrastructure, I use EasyCron - https://www.easycron.com/document - The API isn't the most sophisticated, but gives me more control.
I've been using recurry for this reason (nodejs).
For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.
Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.
As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.
reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started
A very well known major drawback of using CGI is poor webserver performance. But how secure are CGI (mainly C/C++) based applications? Are there any major security holes in CGI architecture built on C/C++?
I would like to know some real life implementations of CGI based web apps/web sites. One that I know of is javaranch.com.
The major security hole I would see anywhere, C/C++ included, would be not using a standard, open CGI library, not reading its documentation, and thinking you're secure anyway.
don't re-invent the wheel. Use a CGI library. Some languages have this built-in (PHP probably does), others have it included (Perl comes to mind), others need you to grab it from elsewhere (C/C++). Make sure you know what it is, and that you use it. Do not try to implement it yourself. If you have to ask about security, you, like me, are not qualified to write it.
Read the documentation. If you're using a well-established library, there will be documentation on security issues and what you can do to avoid them.
Do not ever assume you're secure. I'm quite sure I'm not secure, even though I've followed all the rules in the CGI library for Perl, and the rules in the database interface library, etc. But I still assume I'm not secure, and keep it on the forefront of my mind when doing anything there. Should I ever be an expert on security, maybe I'll change my assumption. Not sure yet.
Security is always multi-faceted, and always incomplete. There are holes being found in all sorts of software all the time - software that may have been previously thought secure. And now we have many more best-practices for security than we did, say, 15 years ago. And we have SELinux for more security.
Of course, the question is - do you have enough security for your app? Does a reasonable effort get you a reasonable level of security? Of course, that's why I don't use C/C++, but I use Perl instead. It takes a lot less effort to ensure I don't overwrite memory in Perl than it does in C++. That's a level of security right there with no actual work involved.
CGI is no more insecure than any other WSAPI. It's all about what the program does with the code. All CGI does is set environment variables and handles off to the program.
Many sites are CGI based. Many PHP sites that are located on hosting are run in CGI mode - mod_php is hard to used in shared environment - no suid.
In general, running as CGI has lower performance, but better for security - you have no access to webserver internals (as with mod_perl and mod_php) so using vulnerabilities is harder. If you use cgi-bin, you non-execute files are not visible (a common bug of PHP programmers is that they have libraries with extension like .inc so source is shown when this file is requested directly).
Perl's taint-checking mode provides a marvelous way to increase security.