Security | FirstPartners

Security in your Software-as-a-Service (SAAS) Application

Posted on October 12, 2008 by paulbrowne

‘Credit Crunch’ might be the favourite buzzword of the moment, but ‘Security’ and ‘Software as a Service’ are not very far behind. Ok, they’re a long way behind ‘will I lose my house’ or ‘will I have a job tomorrow’, but you get the idea. So I’m proud to associated by this article by Max and Chicco, even in a very minor way (as a reviewer).

Here’s the 2 minute overview of Securing a multi-tenant SAAS Appliction, just published on IBM Developerworks.

Software as a Service (SAAS) has a great pitch – let us host your software for you, cheaper and less hassle than managing it yourself.
Most SAAS companies host multiple clients on one server = New security concerns.
LDAP (Similar to Windows Directory) is a standard already in wide use for Authentication (making sure people who they say they are).
Spring Security (aka Acegi) is a well used Authorisation toolkit – i.e. make sure those people only do things they are allowed to do.
The article shows you how to bring SAAS , LDAP and Spring Security together to get secure, scalable , hosted applications using the very best in widely understood technologies.

Of course, I’m not going to spill the beans on how exactly they do it; for that you’re going to have to hotfoot it over to the IBM Developerworks website.

Agile Projects Using the Spring Framework – Training

Posted on April 29, 2008 by paulbrowne

Lots of things going on behind the scenes at FirstPartners. One of which is the Spring Framework training course that we’re giving on Wed 30th May in Bewley’s Hotel, Ballsbridge, Dublin. Interested in going? – you can book here (via Trigraph). Can’t make it? We’ll probably do a follow up.

What are you missing? Apart from the crash test dummies (below), there’s loads of lego blocks, Swiss mountains, trains crashing through walls and a Kangaroo. (Spring, Geddit?). You might even learn something about Java along the way.

Agile Projects using the Spring Framework
Executive Briefing
Delivery: Public or In-house
Course Length: 0.5 days. Optional mentoring / follow up session if required by Client
Course Approach: Lecture, discussions
Level: Beginner / Intermediate

Dummies

Course Description:

Spring, with good reason, is the most actively used framework in the Enterprise Java world today. The half- day briefing shows the problems that Spring can solve for your projects, core Spring concepts such as Inversion of Control and integration with existing Enterprise Java technologies for database access, messaging and web deployment. The briefing also shows how to use Spring to make your projects more agile, improving quality and reducing deployment time.

Course Objectives:

Following completion of this course, students will be able to:
Understand why Enterprise Java is the mostly widely used corporate technology, and how Spring both simplifies and improves this technology.
Understand core Spring concepts such as Inversion of Control (IOC), configuration , deployment and testing.
Describe how to integrate Spring with Enterprise Technologies such as Databases, Messaging and Web 2 frameworks.
Understand how Spring can make your projects more agile and the benefits it brings to your organization
Map out a plan of how to introduce the Spring framework to existing systems.

Course Syllabus:

Section 1: The Problems That Spring Solves

Introduction
Who are you? Who are we?
What is Spring?
What is (Enterprise) Java?
The problems with Enterprise Java
Why Enterprise Java is costing you money.
The Deployment Scale
Java Classes and Objects
Just enough XML to get by
Core Spring – Inversion of Control pattern
Spring Configuration and my First Spring App
Deployment via Web, Enterprise Java and Command line
Spring on other platforms (.Net , Ruby and Groovy)
Alternatives to Spring
Spring and Java 5 – easier development
Starting out – just a little Spring in your Step.

Section 2: Core Spring and Enterprise Spring Integration

Spring Web Framework (MVC)
Spring Web with Struts , JSF , XSLT , Tiles and GWT (Google Web Toolkit)
Spring and Ajax in Web 2 Applications.
Spring Webflow
Spring and Databases (Hibernate and JDBC)
Spring and Messaging (MQ and JMS)
Spring Remoting and Web Services
Aspect Orientated Programming (AOP)
Transactions in Spring
Appfuse – ready to roll Spring projects with Maven
Administration of your Application using Spring and JMX
Scheduling using Spring and Quartz
Spring and Acegi Security

Section 3: Practical Spring – make your project more Agile

The problems with IT Projects
What is Agile
Spectrum of Agility
How Spring makes your project more agile (and your customer happy)
Key Agile Practices
Unit Testing with Spring
Integration Testing
Mock Objects
Spring IDE
Spring and Business Rules
Spring and Workflow
Alternative Spring configuration.
Extending Spring to meet you (obscure) needs.
What’s new in Spring 2.5 (and coming up for Spring 3)

Audience:

Managers and Project Managers wishing to understand the benefits of adding Spring to their projects.
Software developers needing an introduction to Java and the Spring Framework and integration with key Enterprise technologies.
Support, Database , Web Designers and other IT professionals needing to interface with Spring and Enterprise Java systems.
.Net developers wishing to understand the concepts behind the Spring.Net framework.

Related Courses:
Enterprise Java (Trigraph) and Agile Project Management (Trigraph)

Prerequisites:
Some high level exposure to the Java, .Net or other Object Orientated language would be beneficial but
not necessary.

Google Spreadsheets Mean the end of Java

Posted on January 18, 2007 by paulbrowne

Or to be more accurate ‘Google Spreadsheets mean the end of Java as we know it’.

Think about this. Who pays your wages Mr Java-Developer-who-has-just-had-a-couple-of-years-at-the-top-of-the-pile? Clients, or if you’re in a larger organisation , the business folks (i.e.’internal’ clients). Do you think any of them care about Java? Do any of them know what Java is? All they want is to get things done, quickly , and with as few mistakes as possible.

These business people would be happy to run their organisations on Spreadsheets. Do you remember the cartoon where Dilbert convinced the pointy haired boss that he could fly the plane using Excel? There’s more than a element of truth to this. I know of at least one US Fortune 100 company that (until recently) conducted most of it’s operations on little more than Microsoft Office and duct-tape. It worked, not very well, but it worked.

Until now , the next line would be ‘Excel (or any other type of Spreadsheet) is not secure / scalable / sharable / not web friendly’. That was until Google launched their Docs and Speadsheets. It’s an online version of Office with some spreadsheet functionality. Play with it a bit and you’ll see that there’s plenty missing. But this being Google , I’m willing to put good money on

(a) new features rolled out (think steamroller) and
(b) These Spreadsheets being massivly scalable / secure / sharable.

This being Google, there is also an API (developer page here). It’s got massive holes in it (e.g. you can’t yet use it to create a new spreadsheet). But when Microsoft bring out their version of online spreadsheets (and they will) not only will they clone the Google API (to get market share), they’ll need to go one further and introduce new features / remove the usage restrictions in order to compete.

So, secure, scalable, sharble online spreadsheets are here to stay. So lets take a look at Mr. (or Ms.) Pointy haired boss thinking about their new project:

Hmm, I think we need to be able to gather which health plans our employees are enrolled in.
OK, I’ll throw together a spreadsheet to show people what I want
Before I’ll give to our friendly Java developer and let him ‘do’ a website from it.
Soon I’ll just share this on Google.
Great , Loads of people are now using it, I’ll just the (Ruby / PHP / Insert other language here) guy to add one or two extra features.
Most Excellent. Why don’t we spin this off as a Web 2 company and sell it to EBay??

There you have it, Massively scalable , Highly secure websites (see Google Authentication API), without needing to know anything about EJB, JMX , JBoss, JDBC or any of the hard won knowledge that us Enterprise Java Developers have built up over the last 7-8 years. I’m exaggerating, but not much.

What do you think? Is Enterprise Java dead, or is Web 2 just another boost and a slightly different way of doing things for us Java people?

Other Java Posts from Technology in Plain English

Some other notes:

Java is read once , run almost anywhere. The ‘Almost’ is because (for various technical reasons) the difficulty in getting reasonably priced web hosting. Have your tried getting some recently – impossible to find , or at least impossible to find at the prices PHP and Ruby guys can get theirs?
Tim O’Reilly with was right with the notion of Web 2.0 and the network as a computer. We’ve also written about the notion of online software being at a tipping point.

This article was originally published on the O’Reilly books OnJava Website.

Upgrade your PDF reader (don't say we didn't warn you).

Posted on January 4, 2007 by paulbrowne

News is just out that this is a major security hole in Acrobat reader (what you normally use to open PDF Files). Most people are currently using version 7 or earlier (the version affected). Upgrading to version 8 appears to solve the problem.

Brian Honan has more details with a full writeup at Symantec.

And if you ever need to guess a password …

Posted on December 17, 2006 by paulbrowne

… try these , as suggested by the Health Tech Blog.

Brian Honan's Security Watch Blog

Posted on November 27, 2006 by paulbrowne

If you already subscribe to Brian’s monthly Security Newsletter, you’ll already know how good / critical the information Brian has.

[Link to BHConsulting.ie]

Now , Brian Honan has started blogging and the content is well worth checking out. Brian is a Dublin based Enterprise Security Consultant whose writing will make you suitably paranoid.

Enterprise Java Presentation at DCU

Posted on October 30, 2006 by paulbrowne

On Wednesday, I’m presenting on the topic of Enterprise Java at DCU (Dublin City University) , in conjunction with Trigraph.

I’ll blog later about bits and pieces of the slides (for commercial reasons I can’t publish the full set here), but the overview is below.

Description:

Success or failure in your business depends on dealing with information faster and better than your competitors. This briefing shows you how Enterprise Java tools can do this and how to apply them to your organisation. Crucially, the briefing shows you when not to use Enterprise Java and details the alternative approaches.The briefing will give delegates an overview of the Java Web development environment, how to architect and distribute multi-tier applications and how to link these components with existing sources of information using Enterprise Application Integration (EAI). Most business have substantial investments in existing and legacy IT systems and the briefing will show how to integrate these with techniques such as JMS Messaging/ MQ Series, SOAP / XML or using the Java Connector Architecture (JCA).

As well as examining the main Java Application Server vendors (including Sun , IBM , Oracle , BEA and JBoss) the briefing will detail the technology stack that they offer. This stack includes Web presentation frameworks and SOA – Service Orientated Architecture at the Front end. In the middle (Business) layer this covers the capture of Business knowledge using Business Rule Engines and workflow (BPEL). At the back (Service) layer, this includes database integration using JDBC, and the Enterprise Service Bus (ESB).

What Problem are we trying to solve?Where Java Fits in Enterprise Computing.
Enterprise Application Integration (EAI).
A Componentised & Connected Enterprise.
Enterprise Java Architecture Overview.
Enterprise Java Platform Roles.
Benefits to the Enterprise.
Alternatives (.Net , PHP , Oracle , Lightweight Java Frameworks , scripting)
Scripting Languages and Enterprise Java (Ruby, Python, Groovy)
Vendors (IBM, Oracle, Sun , Bea , JBoss and SAP)
Vendor Specific Solutions (e.g. Oracle Fusion / ADF , IBM MQ )
Market Trends – Resource availability (can we get the people to do this?)

Foundation Technologies & Techniques.

Enterprise Web 2.0 and Service Orientated Aritecture (SOA).
Integrating with other Systems ( Legacy Systems, Oracle etc)
Enterprise Java Beans 3
Middleware (MOM, Rule Engines, Workflow)
Java on the (Enterprise) Desktop
Web Services / Enterprise Service Bus
Best practices (Code standards, Build standards, Version Control / Iterative Development / Junit)
UI Layer: HTML, Servlets, JSP, XML/XSLT.
XML’s Role in the Enterprise.
Application Tier: EJB, JNDI, JDBC, JDO.
Integration Technologies.
Java Connector Architecture- JCA
RMI, CORBA/IIOP, SOAP.
Security – Application and Server Level
Java Access & Authorization Service (JAAS).
Object-Orientation & UML.
Design Patterns.
Frameworks (Struts , JSF, ADF, DWR, Spring, Hibernate)
.Net interoperability

Enterprise Java Application Architectures.

Overview of Enterprise Application Servers.
Commercial Application Servers.
Distributed Application Models with Enterprise Java.
Enterprise Java Application Server Basics.
How to Choose a Enterprise Java Application Server.
Enterprise Java Application Architecture.
Building a Enterprise Java Application.
Deploying the Application.

Enterprise Java & Your Business.

Planning for Migration.
First Steps.
The Implementation Plan.
Organisational Challenges.
What’s next for Enterprise Java?

Close.

Security Seminar in Dublin on 7th September 2006

Posted on August 17, 2006 by paulbrowne

Brian Honan of BH Consulting passed on news of a Security Seminar in the Burlington Hotel Dublin on the 7th September 2006. If you’re interested in attending , contact Brian directly. The seminar is part of Global Security Week, (http://www.globalsecurityweek.com). The seminar is free and open to all who wish to attend.

This year, the theme for Global Security Week is IDENTITY THEFT and as part of this years event a free seminar on Combating Identity Theft will be held on Thursday the 7ths of September at 2:00 p.m. in the Burlington hotel. The purpose of the seminar is to make individuals and companies aware of the threats posed by Identity Theft and how to protect yourself and your company from becoming a victim of this fast growing crime. The US Treasury Department in a recent report says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004. A recent report published in the Unitised Kingdom shows that companies in the UK have lost over STGÂ£50 million as a result of company identity theft in 2005 alone.

Highlighting the dangers posed by Identity Theft and how individuals and companies can best prevent becoming victims of this crime will be speakers from the following organisations:

The Garda Bureau of Fraud Investigation

ENISA (the European Network and Information Security Agency)

The Companies Registration Office

The agenda for the day is ;

14:00 – 14:15 Introduction
14:15 – 15:15 Identity Theft in the Real World – Garda Bureau of Fraud Investigation Protecting your online identity – Garda Computer Crime Unit
15:15 – 15:30 Coffee
15:30 – 16:00 Identity theft – ENISA (the European Network and Information Security Agency)
16:00 – 16:30 Protecting your Company’s identity including demonstration of CORE – Companies Registration Office
16:30 – 16:50 Panel Discussion – How Best to Combat Identity Theft – Panel will include speakers from the day
16:50 – 17:00 Close
The seminar will be hosted in the Burlington Hotel on Thursday the 7th of September from 2:00 p.m. Registration is open to anyone concerned with Identity Theft and places can be booked by simply replying to this email or contacting us on 01 4404065

ABOUT GLOBAL SECURITY WEEK

Global Security Week is a global security awareness initiative in the week leading up to September 11th every year. The idea is simply to coordinate and encourage a wide variety of security-related awareness activities worldwide in that week, taking advantage of the obvious focus on security by the world’s media.

The theme for this year’s Global Security Week is identity theft. During the week, September 4th to 10th 2006, a number of events, workshops and awareness raising activities will take place worldwide to educate, inform and better prepare people to tackle the growing problem of identity theft.

Global Security Week is a public awareness initiative, not a commercial or political venture. We are not trying to obtain funding, de-rail other security awareness activities, nor focus on any particular aspect of security (such as terrorism, information security or physical security). Global Security Week is deliberately designed to be a broadly-scoped event but with a long-term aim to become the main focus for security awareness activities in years to come.

Against a backdrop of global terrorism and organised crime, security in general (and information security in particular) has become a vitally-important sociological and business issue. Commercial and governmental organisations are investing heavily in technical security controls but the security problems caused by people remain largely unaddressed.

Whilst responsible businesses and individuals employ a wide range of security measures, the global Internet community suffers as a result of those irresponsible businesses and home users who remain largely unaware of security. Hackers and spammers frequently take control of insecure Internet-connected systems, for example, to use as platforms for their attacks. Raising the general level of security awareness is the only feasible means of addressing this issue.

For more information about Global Security Week please visit www.globalsecurityweek.com

If you're interested in System Security , and you're about in Dublin …

Posted on April 23, 2006 by paulbrowne

If you’re interested in Security , and you’re about in Dublin next Wednesday (April 26th), you could do worse than check this one out:

Extract from the full meeting agenda:

The major questions we will attempt to cover in the discussion are –

What makes the security profession distinct?
Is it a particular
security certification/qualification/experience or is it less tangible?
What are the entry criteria for a security professional, the milestones
and the potential career directions?
Is there a formalised security career path?
How can an employer tell the
difference between a professional in the field and a (for want of a
better word) spoofer?
Is the career path supported by credible and useful industry efforts and
academia?
Who are the main professional organisations and institutions?

I haven’t (yet) been to one of the ISSA events , anybody that does go along please let me know if it is good , bad , or indifferent. I’m off to the Enterprise Ireland Web 2.0 event at the Helix DCU instead.

Google scrambles to plug Gmail hole

Posted on March 7, 2006 by paulbrowne

More information here on ‘Google scrambles to plug Gmail hole’

Two things to take from this:

Even Google Makes mistakes when it comes to Security
Hosted Applications can be patched and rolled out much faster than traditional ones. Can you imagine a problem with your version of Microsoft Office being fixed ‘about three hours later’?