The voice of The Apache Software Foundation

Shawn McKinney, ApacheCon North America 2017, and Java Security

March 27, 2017

At ApacheCon Miami, Shawn McKinney will give a talk on the anatomy of web application security.

In this interview, he talks about what he’ll be presenting, and who should attend.

Register today for ApacheCon, and save $200 on your admission cost.

ApacheCon Seville 2016 – Implementing Security in Apache Geode Using Apache Shiro – Jinmei Liao

February 10, 2017

Implementing Security in Apache Geode Using Apache Shiro – Jinmei Liao

Apache Geode (incubating) is a distributed in-memory data grid built for high throughput low latency applications. Data stored in a Gode cluster can be accessed by Geode clients (which talk to the server over TCP) and over REST api. One can also manage the Geode cluster over JMX and rest api.

Although you could secure the transport using ssl, role based access control existed only for clients over TCP. In the latest release of Apache Geode, we now have role based access control for all Geode APIs, and we used Apache Shiro for our implementation. In this talk we will provide details on how this was accomplished and present our ÛÏlessons learnedÛ.

More about this session

ApacheCon Seville 2016 – How to Secure Apache Spark? – Neelesh Srinivas Salian

February 10, 2017

How to Secure Apache Spark? – Neelesh Srinivas Salian

Security has been a crucial component of the Big Data ecosystem. The need to protect data from exploits and vulnerability are evident in the strong push for cybersecurity and secure clusters across businesses and industries alike. Spark itself has been a major analytic backbone of that infrastructure. Similar to the evolution of the security infrastructure on Hadoop, we see Spark growing as well. How does one ensure Security with Spark without much hassle ? This talk focuses on the steps need to be taken to setup and discuss the potential issues on Spark Core, Streaming and other components that would follow. The speaker has been helping out large enterprise customers setup and ensure their infrastructure maintains the secure environment.

More about this session

ApacheCon Seville 2016 – Secure by Default Web Application with Apache Sling – Robert Munteanu

February 10, 2017

Secure by Default Web Application with Apache Sling – Robert Munteanu

A product that works is not done, as there are many facets to consider – availability, scalability, security. Of those, security is probably the most expensive to get wrong.

By analysing a simple web application built on top of Apache Sling and its threat model, we will review the main attack vectors and how they can be mitigated. You will see what the general approaches are and also how Apache Sling allows you to eliminate entire classes of vulnerabilities by using secure-by-default components. Although we will use Apache Sling for examples, previous knowledge of Sling or its components is not required.

More about this session

Apache Big Data Seville 2016 – Attacking a Big Data Developer – Olaf Flebbe

January 23, 2017

Attacking a Big Data Developer – Olaf Flebbe

Developers are a possible attack vector for targeted attacks to infiltrate malicious code into enterprises.

The Speaker did a network traffic analysis with the Bro Network Security Monitor (bro.org) backed by an ELK Stack while compiling Apache Bigtop, a Big Data Distribution containing Apache Hadoop, Spark, HBase, Hive, Flink et al.

While there are no obvious traces of a malicious code within the traffic, there are many findings of possible attack vectors like unsecurely configured critical software infrastructure servers, usage of private repositories or unsecure protocols.

The Analysis showed that many compile jobs are downloading and running executables from untrusted sources. The author will shortly explain how these weaknesses can be exploited and will give recommendations on how to resolve these issues.

More information about this talk

Blog at WordPress.com.