Tag Archives: Linux Foundation

Oracle API CS vs OCI API approach to securing gateway configuration

02 Tuesday Jun 2020

Posted by in API Platform CS, APIs & microservices, General, Technology

Leave a comment

Tags

, , , , , , , , , ,

A couple of years ago I got to discuss some of the design ideas behind API Platform Cloud Service. One of the points we discussed was how API Platform CS kept the configuration of APIs entirely within the platform, which meant some version management tasks couldn’t be applied like any other code. Whilst we’ve solved that problem (and you can see the various tools for this here API Platform CS tools). The argument made that your API policies are pretty important, if they get into the public domain then people can better understand to go about attacking your APIs and possibly infer more.

Move on a couple of years, Oracle’s 2nd generation cloud is established an maturing rapidly (OCI) and the organisational changes within Oracle mean PaaS was aligned to SaaS (Oracle Integration Cloud, Visual Builder CS as examples) or more cloud native IaaS. The gateway which had a strong foot in both camps eventually became aligned to IaaS (note that this doesn’t mean that the latest evolution of the API platform (Oracle Infrastructure API) will lose its cloud agnostic capabilities, as this is one of unique values of the solution, but over time the underpinnings can be expected to evolve).

Any service that has elements of infrastructure associated with it has been mandated to use Terraform as the foundation for definition and configuration. The Terraform mandate is good, we have some consistency across products with something that is becoming a defacto standard. However, by adopting the Terraform approach does mean all of our API configurations are held outside the product, raising the security risk of policy configuration is not hidden away, but conversely configuration management is a lot easier.

This has had me wondering for a long time, with the use of Terraform how do we mitigate the risks that API CS’s approach was trying to secure? But ultimately the fundamental question of security vs standardisation.

Mitigation’s

Any security expert will tell you the best security is layered, so if one layer is found to be vulnerable, then as long as the next layer is different then you’re not immediately compromised.

What this tells us is, we should look for ways to mitigate or create additional layers of security to protect the security of the API configuration. These principles probably need to extend to all Terraform files, after all it not only identifies security of not just OCI API, but also WAF, networks that are public and how they connect to private subnets (this isn’t an issue unique to Oracle, its equally true for AWS and Azure). Some mitigation actions worth considering:

  • Consider using a repository that can’t be accidentally exposed to the net – configuration errors is the OWASP Top 10. So let’s avoid the mistake if possible. If this isn’t an option, then consider how to mitigate, for example …
    • Strong restrictions on who can set or change visibility/access to the repo
    • Configure a simple regular check that looks to see if your repos have been accidentally made publicly visible. The more frequent the the check the smaller the potential exposure window
  • Make sure the Terraform configurations doesn’t contain any hard coded credentials, there are tools that can help spot this kind of error, so use them. Tools exist to allow for the scanning of such errors.
  • Think about access control to the repository. It is well known that a lot of security breaches start within an organisation.
  • Terraform supports the ability to segment up and inject configuration elements, using this will allow you to reuse configuration pieces, but could also be used to minimize the impact of a breach.
  • Of course he odds are you’re going to integrate the Terraform into a CI/CD pipeline at some stage, so make sure credentials into the Terraform repo are also secure, otherwise you’ve undone your previous security steps.
  • Minimize breach windows through credentials tokens and certificate hanging. If you use Let’s Encrypt (automated certificate issuing solution supported by the Linux Foundation). Then 90 day certificates isn’t new.

Paranoid?

This may sound a touch paranoid, but as the joke goes….

Just because I’m paranoid, it doesn’t mean they’re not out to get me

Fundamental Security vs Standardisation?

As it goes the standardisation is actually a dimension of security. (This article illustrates the point and you can find many more). The premise is, what can be ensured as the most secure environment, one that is consistent using standards (defacto or formal) or one that is non standard and hard to understand?

Helidon and the embracing of micro services

24 Wednesday Oct 2018

Posted by in development, General, Helidon, Oracle, Technology

4 Comments

Tags

, , , , , , , , , , , , , ,

XEYO9H51_400x400Oracle have announced another Open Source project called Helidon (Helidon.io) as a microservices platform built on top of Netty (which is built around a contemporary async model). If you look at the literature you’ll note two flavours one called SE which aligns to the programming characteristics or Node.js – asynchronous. The other is MP which aligns to the rapidly evolving J2EE MicroProfile which essentially follows a coding style along the lines of J2EE annotations.

Whilst it is perfectly possible to run Helidon based solutions in either profile natively, it is clearly geared up for running in any Docker+Kubernetes style environments such as Oracle Kubernetes Cloud (OKE) or even ACCS. Helidon website provides the means to quickly package your solution into Docker.

In both SE and MP forms the dependencies are hugely stripped back compared to the giants of WebLogic, GlassFish (now EE4J with the handover of J2EE to the Eclipse Foundation.

It does raise a number of questions what are the futures of WebLogic and Oracle support of EE4J (some answers here, but no Oracle specific)? WebLogic has never been the fastest to align to the latest J2EE standards (EE8 standard released last year should be become available sometime this year for WLS – see here), but today it is so central to many Oracle products it isn’t going to disappear, will it just end up slowly ebbing away? Which would be a shame, I have heard it said by Oracle insiders that if the removing the end of one component could be sorted then WebLogic could be easily be configured to have a small lightweight footprint.

The other interesting thing is what is happening to Open Source and what it might mean for the future.  Up until perhaps 3 or 4 years ago the use of open source you would think of software made available on of a small group of key sponsored organisations such as Apache, Linux Foundation, Eclipse which through its governance framework, provided levels of equality and process. As a result, levels of quality, trust crucially married to strong level of use and contribution that meant that to extrapolate Linus’ Law – bugs could be weeded out quickly and easily.  However with the advent of services like GitHub, whilst it has become easier to contribute and fulfil Linus’ Law. It also means that it is very easy to offer a solution that is Open Source. But, doesn’t necessarily garner the benefits of Linus’ Law and the other preconceptions we often have about Open Source such as it is/can be as good as a commercial solution. After all, throwing code into GitHub does not guarantee many eyes/contributors. Nor does it assure the governance, checks and balances that an Apache project, for example, will assure.

It is important to say that I am not against github, in fact, I am very much pro, and use GitHub myself to host utilities I make freely available (here). The important point is we have to be more aware of what open source actually means, in each context and can’t assume it is likely to have a strong community driving things forward, and critically dealing with bugs, and ensuring quality assurance processes are realized.

Helidon joins a number of other offerings in this space such as Micronaut (also built on Netty). Micronaut takes a different approach to Helidon by adopting a strong inversion of control/injection approach. In and in some respects feels a bit like the earlier versions of JBoss Application Server (now known as WildFly) which had a small footprint and made good use of Spring. This is in addition to Spark and Javalin. There is a good illustration of the different servers from Dmitry Kornilov shown below and the associated article can be seen here (who also happens to the Lead Engineer for Helidon).

helidon_landscape

Unlike Spark, Micronaut and a couple of others, Helidon only supports Java today rather than JDK based languages such as Kotlin and Groovy for example but is the only solution that can cover both the Micro Profile and Framework domains. It also has a challenge in terms of getting established, Spark has been around since 2015. Javalin appeared in May 2017. The J2EE Micro Profile standard is also driving a lot forward progress, so getting established will continue to get harder. Liberty, another Micro Profile solution is based on IBM WebSphere and Thorntail has links to WildFly (more here). We hope that it will make good headway with a Reactive engine in the form of Netty and avoiding IoC or introspection from the core should mean it will be very quick (particularly during startup) but it needs to show its value differentiation and importantly build a strong community contributing to it.

We hopefully will get the chance to further experiment with Helidon and write more about it here.