Daniel Somerfield

Author
+ Follow
since Jul 15, 2001
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Daniel Somerfield

Congrats to the winners and thanks for your questions, everybody.

Originally posted by Carl Trusiak:
This weeks winners are:
[b]
ravi bask
Joe Gilvary
Antti Barck
Matthew Brown

Congratulations to the Winners
Thank you Jess and Dan for you time
[/B]



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Well, of course, I would suggest buying (or winning) our book.
What I would say about a career in Java Security and Cryptography is that it is a tough sell and really needs to accompany a broader topic area, particularly these days when application security has a tendency to fall by the wayside.
The first area that goes nicely with Java Security is Java development in general. I believe Java Security is a great accompying expertise for OO design and solid Java programming skills. For this, you need solid experience in Java development and, to my mind, good knowledge of design patterns and OO techniques.
The second area is security in general. If you can specialize in PKI, network security and Java security, you have the much of the knowledge and the tools for designing and implementing secure systems. For this, you would need to learn about SSL, firewalls and PKI design.
Best of luck.

Originally posted by Joshua White:
I have developed an interest in java security/cryptography and have been trying to find a way to get started. I have found however that java security for the most part is sacrificed because of a lack of development time for J2EE apps and quite frankly, lack of knowledge.
Does anyone specialize in Java security or have any suggestions on how to get started in this field?



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Architecture is definitely considered in our book. More software architecture than network architecture, although we do touch on issues like IPSec and Firewalls in the introduction.
Some of the issues to consider when designing your system are:
- balancing security and useability. There is not point in having an unbreakable security architecture if the users are going to circumvent it. For example, a really secure password isn't worth much if it is taped to the monitor.
- weighing the cost of data against the value of protecting it. Absolute security is impossible, so the time and money you spend to protect data should be relative to how sensitive it is.
- n-tiered application design. Where are the weak points, what has to be protected and from who? We talk about protecting the various tiers of the application and show an example banking app securing the database, the app-server and the web server.
There are many other issues to consider, depending on the app, but the book gives you a good place to start.

Originally posted by ruilin yang:
Jess/Daniel
Some architecture design can solve some security problems. In order to get a good security implementation on a system, it is better to start from architecture design with combination of security consideration.
How much does your book cover/discuss the archetecture design in terms of a better security. I mean some security problems can be solved purely by a proper architecture design. Sometime we have to do a trade-off between architecture design, performance consideration, and security. I would like to get some comments from you - experts.
Thanks in advance.
Ruilin



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
We do talk about that some in appendix A. JavaMail does not support S/MIME without an add-on. There are a number of third party S/MIME providers, one which we wrote. It is a commercial product, but you can download a trial at http://www.isnetworks.com/smime. Other providers are available on page 477 of the book. Vendors include DSTC, IAIK and Phaos.

Originally posted by Amit Agrawal*:
Hello Jess/Daniel,
Does your book gives any idea about securing mails I send using Java Mail? I looked the description of the book at amazon but couldn?t locate any such thing.
Actually, I need to encrypt my mails so that only intended user can read it, any idea for the same?
Thanks,
Amit.



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Generally, if there is a reliable third pary product that does the job, by all means use. My recommendation is to use well-tested open-source code. This way lots of people have been checking the code for holes.
However, one day, you will find a situation where there isn't a product to do the job. We have run into this on a number of occasions. This is particularly common in situations where you are already writing a Java application and need to build security capabilities for it, whether that is a permissions model, encryption, single sign-on, whatever. The Java Security APIs are broad enough to cover most of these situations.
That being said, I believe it is not wise to use (or write your own) propriatary encryption algorithms. There are plenty of well-tested implementations of exisiting, well-tested algorithms like RSA and Blowfish out there. There is rarely a situation where you should do your own.
Good luck winning a copy

Originally posted by Richard Smolen:
Could someone explain why or give a scenario where someone would want to code a Java security solution from scratch, rather than using a 3rd Party product like PGP? It seems less cost-effective and much more risky to code your own security.
I'm sure the book's introduction discusses this, but as I haven't won a copy yet ... ;-)



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Thank you for your kind (and silly) comments. This wasn't my favorite cover. We had a goofier one, but they didn't go for it.
Also, Jess (left) wanted to take his shirt off, but I thought the groupies would be too much

Originally posted by Thomas Paul:
The guys on the cover of this weeks give-away are not your stereo-typical computer geeky looking guys. They look like they could be in the "Back Street Boys".



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago

Originally posted by Dirk Trompetter:
Hi,
does the book cover java security on mobile phones?
thanks,
dirk


No, I am afraid not. Some of the server-side APIs we cover are perfectly valid whether you are using mobile phones or some other client, but we don't talk about phones specificially.
I should say that I don't think the processors on phones (or the Palm for that matter) aren't really fast enough for PKI yet. They can do symmetric encryption relatively well, but are a little pokey for asymmetric.

------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Unfortunately, Java does not provide any built-in mechanism for accessing a smart-card. However, you need to look for vendors who provide a JCE driver (or any other Java API, for that matter) with their reader.
Warning! Self-promotion product pitch follows:
Once such vendor is my company, ISNetworks. We provide a JCA/JCE provider called Pinatubo which is a front-end for the Microsoft CryptoAPI. This means that you can use Pinatubo with smart-card readers that have a CryptoAPI driver, which most will. Of course, if you aren't on Windows, this isn't going to do you much good. Free download available at http://www.isnetworks.com/pinatubo.
Failing that, you are going to have to do some pretty serious JNI coding.
Thanks,
Daniel

------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Actually, that isn't really the case. Rather than thinking that extra tiers give you more places to implement security, think of each tier as a potential weak point where you NEED to implement security. Every time you go over the network, for example, you are exposing your data to attack.
EJB servers do provide you with some APIs for implementing security, such as method-level access control and JAAS. However, there really isn't anything there that you can't either write yourself, or download seperately.
If you are only using Servlet/JSP then SSL with client authentication and some sort of security model either based on the Java Security APIs or a simpler home-brewed solution.
Assuming you use a separate database, you also have to worry about securing that connection. Our book has a couple of strategies for doing just that. Some databases have built-in encryption and authentication functionality which will save you some work. Finally, you can partition off the database with network infrastructure, preventing outside connections.
Overall, EJB isn't going to help you much with these problems. It just adds an extra tier that needs to be protected.

Originally posted by ruilin yang:
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin



------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Indeed, the JSSE is the appropriate tool for the job. You can get more information at http://java.sun.com/products/jsse/. Current version is 1.02. Note that with 1.4, the JSSE will be integrated.
We have examples for using the JSSE in "Professional Java Security" including securing RMI and database connections.

------------------
Daniel Somerfield
Author of Professional Java Security
22 years ago
Looking forward to doing a Giveaway on our Book "Professional Java Security"

------------------
Daniel Somerfield
Author of Professional Java Security
23 years ago