Win a copy of Node.js Design Patterns: Design and implement production-grade Node.js applications using proven patterns and techniques this week in the Server-Side JavaScript and NodeJS forum!

Marco Pistoia

Author
+ Follow
since Apr 19, 2004
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Marco Pistoia

IBM Security Workbench Development Environment for Java (SWORD4J) is a new Eclipse-based security development and deployment suite that assists both developers and system administrators in managing and configuring application security. SWORD4J is currently available as a free download from IBM alphaWorks at http://www.alphaworks.ibm.com/tech/sword4j.

A major problem facing Java developers and system administrators is determining the set of Java 2 permissions an application, library, OSGi bundle or Eclipse plug-in will need at run time when security is enabled. This becomes particularly challenging when the program is large and complex. SWORD4J can be used to identify and configure the required permissions and to manage keystores and digital certificates.

Another advanced feature of SWORD4J is its ability to identify code locations that are candidate for becoming �privileged.� Privileged code allows trusted code (for example, a library or an OSGi bundle) to access a protected resource, such as a configuration file, without requiring that the callers of the trusted code be granted the necessary permission. While privileged code is essential in systems in which authorization is based on stack inspection, identifying the trusted code locations that should be made privileged is a difficult task. SWORD4J assists developers in identifying those code locations.

Under the covers, the SWORD4J technology is based on advanced static analysis designed and developed in IBM Research. Specifically, SWORD4J can detect the security requirements of a program without executing it. This minimizes the possibility of harming the system where the program is being analyzed. SWORD4J analyzes Java bytecode, though source code is useful for validating analysis results.

I have been one of the major contributors to the SWORD4J technology. If you need to validate the security of your code or you are simply interested are interested in trying it out, go to the alphaWorks Web site above and download SWORD4J. Let me know what you think!

Thanks,
Marco Pistoia
16 years ago
Hi Mary,
One of the reviewers (ranked as one of amazon's top reviewers) wrote:
"In conclusion, this is the best book I have ever read dealing with the topic of security. This is also the best Java security book and is a very comprehensive guide to anyone working with Java. This book belongs in every developer's bookcase and he/she really needs to understand these concepts. If you are looking for a book that overwhelms you with code, this is not it. Instead this is a great tutorial book that uses Java code where appropriate but relies on great writing and explanation of the security framework and components. I highly recommend this book and I know this is going to be handy reference for me."
Additionally, I wanted to mention that this book is not only for Java developers, but for architects and researchers as well. That's why we even have a chapter that describes the mathematical details of the cryptographic algorithms, including RSA, Diffie-Hellman, and the elliptic curve. Thomas Paul, in his amazon review, criticized the fact that we covered the elliptic curve algorithm, but again, researchers and architects may want to know what are the pros and cons of each algorithm before deciding which one should be used. People who are not interested may just skip that chapter.
Thanks again,
Marco Pistoia
17 years ago
The book does not focus primarily on the Java crypto APIs, even though Part IV of the book, "Enterprise Java and Cryptography" contains 4 chapters that cover everything you need to know if you need to use Java and crypto. The book covers also some best practices stuff, but I am afraid not as much as you are asking. We did not consider that the main purpose of the book. Therefore, we do not always discuss how to bullet proof against bad code practices, and we do not cover SQL injection.
Marco Pistoia
17 years ago
Bas,
We do not conver struts security explicitly, but we do cover servlet security. I hope this helps.
Marco Pistoia
17 years ago
Ayesha,
An Indian edition is not available yet. So far the book has been printed only in American English and can be purchased online (from amazon.com for example) also for other countries. As Nick said, the book was published less than two months ago, so it will take some time before it is translated into other languages. When it is translated into other languages, I can at most contribute to the Italian translation :-)
Thank you for your interest in my book.
Marco Pistoia
17 years ago
Hi everybody. I have asked the publisher when the book will be available in regular bookstores in Asia (in particular, India and Hong Kong) and the answer is:
"Hi Marco,

I know that our international folks are currently pitching
this book to all of our international subsidiaries. Yet, I have
not seen an announcement from them about having the international
licensing for this book nailed down for India and Hong Kong.

Usually, I get an announcement and then I immediately forward
each announcement to the authors. "
I will let you know more details as soon as they forward me the announcement. In the meantime, I think you can order the book from amazon.com or bn.com if you are interested.
===
Nick,
The sample chapter you have posted is not from my book. I did find that Chapter 3 from my book is available for free download at www.addison-wesley.com. Search for "Enterprise Java Security" and on the left hand side there is a link for a sample chapter. Keep in mind though that this is an introductory chapter. More details will be given later in the servlet and EJB security chapters, and in the J2SE, JAAS, JCA/JCE, JSSE, and Web Services security chapters.
Thank you,
Marco Pistoia
17 years ago
Nick,
The chapter whose link you have posted is not from my book. Looks good though
Iyven,
In the Web Services security chapter we covered the following topics: XML, SOAP, WSDL, XML and cryptography, WS-Security, Web Services security model principles, Web Services message security, WS-Policy, WS-Trust, WS-SecureConversation, WS-Privacy, WS-Federation, WS-Authorization, application patterns, Web Services provider security, user authentication, and authorization enforcement.
Thanks,
Marco
17 years ago
You can authenticate with user ID and password. You can do this in Java. You can use the capabilities of the J2EE container so that you don't have to hard code information in the programs. (This is covered in my latest book, "Enterprise Java Security," published by Addison-Wesley), but you can find other resource online too.
Regards,
Marco Pistoia
17 years ago
Yuriy,
The book covers how to design an application security in great detail. We recommend the declarative approach, in which security is not hardcoded in the programs but rather configured in the external deployment descriptors and policy files.
Additionally, we explain how to set up all the components (clients, directory servers, firewalls, EJB containers, servlet containers, databases and other legacy systems, load balancers and reverse proxies) to make a better use of Java security.
I hope this helps,
Marco Pistoia
17 years ago
Nick,
I forgot to mention that yes, we do cover the concept of security provider, including how to replace providers etc.
Marco
17 years ago
Hi Giselle,
The book does exactly that. It covers J2EE and J2SE security with particular focus on the server side.
Thanks for your interest,
Marco Pistoia
17 years ago
Web Services security is still evolving. Security is essential for the future of Web Services. Two of the authors, Nataraj Nagaratnam and Anthony Nadalin, are members of the core group that is designing Web Services security. We understand that without security there cannot be future for such a technology. Therefore, we are convinced that security is already and is going to be more and more a key component of Web Services technology.
Thanks,
Marco
17 years ago
We cover the topics of cryptography in great depth. We dedicate a whole chapter to the theory of cryptography, even explaining the math behind the algorithms. JCA, JCE, JSSE, and JAAS are covered in great detail with tons of examples.
On amazon we got a partially negative review (3 stars) which basically said that we did not have enough source code and that the book seemed like a white paper. However, that review was based on a very early draft of the book (Addison-Wesley hired that reviewer about a year and a half ago). Since then the book changed, almost duplicated. We were still writing at the time the review was done. I was surprised to find on amazon the same words I read one and a half year ago. Looks like the reviewer has not read the final result, which contains 68 Java programs, some of which are 5 pages long.
Fortunately, another reviewer just gave us 5 stars and defined our book "The BEST book on Java/J2EE security," a sign that he was not influenced by an early reading.
17 years ago
Hi Nick,
The book covers those topics in great details. Some of our reviewers told us that they will keep the cryptography chapters as a treasure (in particular, the JCA/JCE chapters, and the JSSE chapter). All these chapters have tons of sample code. Some programs are even 5 pages long. The JAAS chapter explains every detail of authentication and authorization. One of our reviewers on amazon.com said that he finally understood JAAS only after having read that chapter, even though he had worked with JAAS for two years already.
We spent a long time (nights and weekends ) writing this book, so hopefully you will find it useful.
Thanks,
Marco
17 years ago
Yes, the book covers that in great detail. In particular, the end-to-end security theme is covered in at least three chapters of the book.
Thank you,
Marco Pistoia
17 years ago