Continuous Delivery for Legacy/Heritage Systems – LondonCD meetup June 2017

Posted on by Matthew Skelton (@matthewskelton)

This is part 3 of a 4-part series of articles based on discussions at the LondonCD meetup group on 12 June 2017. The other posts are linked at the end of this article.

Applying the principles and practices of Continuous Delivery for new software is fairly straightforward (at least, until you deal with data and databases). However, existing “legacy” systems that were built without many automated tests and without much concern for repeatable deployments of discrete functionality pose a challenge for moving to Continuous Delivery.

Office Lens 20170612-205923

Continue reading Continuous Delivery for Legacy/Heritage Systems – LondonCD meetup June 2017

Continuous Security in Continuous Delivery – LondonCD meetup June 2017

Posted on by Matthew Skelton (@matthewskelton)

This is part 1 of a 4-part series of articles based on discussions at the LondonCD meetup group on 12 June 2017. The other posts are linked at the end of this article.

How do we continuously address security concerns with modern software development? That was one of the questions we discussed and tried to answer at LondonCD meetup group on 12 June 2017. “The yearly PEN test is dead!”, said one person, meaning that reliance on an infrequent, specialist test to address all security problems is simply not good enough any more.

Office Lens 20170612-201113

Continue reading Continuous Security in Continuous Delivery – LondonCD meetup June 2017

Speed up Web Applications with SSL Offloading

Posted on by Matthew Skelton (@matthewskelton)

Web sites and web applications are increasingly using secure connections (HTTPS) for all traffic not just obviously sensitive data, as a way to guard against security threats. However, HTTPS requires encryption/decryption of data, which is computationally intensive. Web applications can therefore benefit from “offloading” the encryption/decryption processing required for HTTPS to specialised hardware devices.

Continue reading Speed up Web Applications with SSL Offloading

Verified by Visa Confirmed Dangerous

Posted on by Matthew Skelton (@matthewskelton)

New research from the University of Cambridge supports the view that Verified by Visa is deeply flawed and unsafe. I first came across this mess of an implementation a while back, and the situation has only become worse since then:

the scheme has become a target for phishing, partly because inconsistent authentication methods can leave customers confused.

It’s time to insist that Visa, MasterCard and other payment gateway providers take some responsibilty for this, and stop pushing risk onto the customer.

How to encrypt passwords in the Tomcat server.xml file

Posted on by Matthew Skelton (@matthewskelton)

By default, Tomcat stores passwords in server.xml in clear text, which can lead to obvious security lapses.

The easiest way to mitigate against user account compromise is to use a password digest (SHA, MD2 or MD5 are supported).

With $CATALINA_HOME/lib/catalina.jar and $CATALINA_HOME/bin/tomcat-juli.jar on your class path, just use the following to generate the digested passwords:

java org.apache.catalina.realm.RealmBase \
   -a {algorithm} {cleartext-password}

The digest technique works by having the incoming clear text password (as entered by the user) digested, and the results compared to the stored digested password. If the Two digests match, the password entered by the user must be correct, and the authenticate() method of the Realm succeeds.