Hi All, Thanks for all responses, I'll explain a scenario via an example. If we take an system like online banking, We are using Symmetric/Asymmetric encryption, HSM, SmartCard etc to enhance the security. They are not even saving the hash password in the Database. If an intruder deploy an OSGI bundle which get all the login information, Can we reverse it ? Do we have to rely on DevOps or Administrators on those kind of damage ? Maybe I am wrong, But I still think security should be there we should have a right protection which even DevOps or admin users cannot do such a damage.
Thanks Godwin On Sun, Feb 15, 2015 at 6:55 AM, Danushka Fernando <[email protected]> wrote: > Hi Goodwin > I think only devops have access to a production environment who can do > such intrude and we trust devops. Because if we don't trust them we can do > nothing. If someone else accidentally try this I think java security could > prevent these assuming that bundle is not signed. If it is signed also its > not up to us I guess since devops credentials are not in our hand. What I > have seen in bigger companies is they change devops credentials time to > time. So they are secured. If they are not doing that its their problem. > > Thanks & Regards > Danushka Fernando > Software Engineer > WSO2 inc. http://wso2.com/ > Mobile : +94716332729 > > On Sat, Feb 14, 2015 at 9:52 PM, Harsha Thirimanna <[email protected]> > wrote: > >> Hi Imesh, >> >> Yes , as you said, it is no avoidable if it is going to the dropping. >> But my question is, do we need to address this, because it is like doing >> attack him self who has access to the system. >> >> >> >> >> *Harsha Thirimanna* >> Senior Software Engineer; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 , >> +94 * >> *774617784twitter: **http://twitter.com/ >> <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> >> On Sat, Feb 14, 2015 at 8:57 PM, Imesh Gunaratne <[email protected]> wrote: >> >>> A good point Godwin! If an intruder get admin access to a host that runs >>> a mission crtical server, he/she could anyway damage the system very badly. >>> >>> However I think you have a point. We use secure wallet to encrypt all >>> the system passwords to avoid even an admin user getting access to the >>> server. But still seems like he/she can interact with the system by >>> dropping a new bundle. >>> >>> On Fri, Feb 13, 2015 at 9:39 PM, Godwin Amila Shrimal <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> Since most of the hacking/fraud happens from the internally this topic >>>> just came to my mind, Our carbon products don't have OSGI level security, >>>> As an example, If someone internally in the company knows OSGI then can >>>> write an OSGI bundle which harm to the system and deploy simply. Shouldn't >>>> we consider this ? (Apologize if I am asking a question which is not valid) >>>> >>>> >>>> Thanks >>>> Godwin >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>> twitter: https://twitter.com/godwinamila >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> *Imesh Gunaratne* >>> Technical Lead >>> WSO2 Inc: http://wso2.com >>> T: +94 11 214 5345 M: +94 77 374 2057 >>> W: http://imesh.gunaratne.org >>> Lean . Enterprise . Middleware >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Godwin Amila Shrimal* Senior Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* twitter: https://twitter.com/godwinamila
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
