Hi Goodwin I think only devops have access to a production environment who can do such intrude and we trust devops. Because if we don't trust them we can do nothing. If someone else accidentally try this I think java security could prevent these assuming that bundle is not signed. If it is signed also its not up to us I guess since devops credentials are not in our hand. What I have seen in bigger companies is they change devops credentials time to time. So they are secured. If they are not doing that its their problem.
Thanks & Regards Danushka Fernando Software Engineer WSO2 inc. http://wso2.com/ Mobile : +94716332729 On Sat, Feb 14, 2015 at 9:52 PM, Harsha Thirimanna <[email protected]> wrote: > Hi Imesh, > > Yes , as you said, it is no avoidable if it is going to the dropping. > But my question is, do we need to address this, because it is like doing > attack him self who has access to the system. > > > > > *Harsha Thirimanna* > Senior Software Engineer; WSO2, Inc.; http://wso2.com > * <http://www.apache.org/>* > *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 , > +94 * > *774617784twitter: **http://twitter.com/ > <http://twitter.com/afkham_azeez>* > *harshathirimannlinked-in: **http: > <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 > <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* > > *Lean . Enterprise . Middleware* > > > On Sat, Feb 14, 2015 at 8:57 PM, Imesh Gunaratne <[email protected]> wrote: > >> A good point Godwin! If an intruder get admin access to a host that runs >> a mission crtical server, he/she could anyway damage the system very badly. >> >> However I think you have a point. We use secure wallet to encrypt all the >> system passwords to avoid even an admin user getting access to the server. >> But still seems like he/she can interact with the system by dropping a new >> bundle. >> >> On Fri, Feb 13, 2015 at 9:39 PM, Godwin Amila Shrimal <[email protected]> >> wrote: >> >>> Hi, >>> >>> Since most of the hacking/fraud happens from the internally this topic >>> just came to my mind, Our carbon products don't have OSGI level security, >>> As an example, If someone internally in the company knows OSGI then can >>> write an OSGI bundle which harm to the system and deploy simply. Shouldn't >>> we consider this ? (Apologize if I am asking a question which is not valid) >>> >>> >>> Thanks >>> Godwin >>> >>> -- >>> *Godwin Amila Shrimal* >>> Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: *+94772264165* >>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>> twitter: https://twitter.com/godwinamila >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Imesh Gunaratne* >> Technical Lead >> WSO2 Inc: http://wso2.com >> T: +94 11 214 5345 M: +94 77 374 2057 >> W: http://imesh.gunaratne.org >> Lean . Enterprise . Middleware >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
