Keycloak for IDM - oauth-2.0

First and foremost, this post doesn't have any intention to strike down any parties as mentioned in my question.
In fact, I'm not sure whether i should ask this question to this forum or not, but after some thoughtful considerations i decided to just post it here due to my curiosity.
Shortly speaking, I'm working on IAM platform for one of my customer. I've prepared it using keycloak within a day which also cover custom provider to connect with their legacy user internal database.
But I got a pretty shock statement from my customer that they don't trust keycloak since it's free and open source. They only trust commercial products, and they suggested me to go with either forgerock or okta.
I have my own way to answer that statement, but I would also like to hear some feedbacks from the experts here with regards to that matter. Thanks in advance.

Maybe the customer concern is that there is no commercial support with Keycloak. It's a very practical concern, eg if you are not available at some future time and all apps are broken when something strange happens after upgrading the Authorization Server.
Of course on the technical side of things, keep code portable by implementing standards based solutions, so that you can switch providers. Avoid stuff like Keycloak Adapters if they are vendor specific.
DEPLOYMENT
As a containerized solution, Keycloak's deployment model supports multi cloud and means you can run in any cloud provider.
Then again, the Platform as a Service model of some providers is often attractive - no infra to manage and the hope of high availability. With some PAAS providers the trade off may be that there is less control over behavior.
WHAT ARE THE REAL REQUIREMENTS?
Commercial support
Guidance on app scenarios
High Availability
Ease of management
Extensibility
Portability
Different customers have different viewpoints and there is no right answer. The usual thing that software architects do is understand their audience, make recommendations, but let the customer decide - they are the boss after all.

Related

Recurly vs SaaS Kit

From some reading and input from a couple of seasoned developers, it appears that I'm down to a choice between Recurly and RailsKits.com SaaS Kit. I'm hopeful to get some broader experiences from folks in the community here as to the pros and cons perhaps you've experienced.
I'd really like to be sure that I put together an apples-to-apples comparison here.
First, I'm offering a service that has two subscription levels of about $1 and $5 / month recurring. These may be paid in either monthly, yearly or every three years (get some discounts at the longer subscription levels). I obviously need to keep transactional costs as low as possible, but I need to maintain this and be sure that recurring billing is reliable and not problematic.
I'll be building this atop Rails 3.
The bag seems mixed as you get a more robust admin feature set it seems with Recurly, yet I may be able to save enough with a SaaS Kit + (for example) https://merchant-apply.com/tesly to make it worth it.
I have reviewed Chargify vs Recurly and Recurly seems to be the winner for my particular model and so that's why I've kinda eliminated many other options at this point.
If you've faced this before, what has worked for you or do you have some practical input in this regard?
I work at Recurly, so I'll try to not make this a sales pitch :)
As I noted in the comments above, PCI compliance can be tricky, time-consuming, and expensive, so please check each product and see what is required for your business. You can see documentation on Recurly's PCI compliance requirements at http://docs.recurly.com/security/pci-compliance/. SaaS Kit reduces some elements of PCI compliance by storing the payment information with the gateway, but this means you cannot easily switch payment gateways - most gateways will not allow you to take your data with you. If you choose to use Authorize.net's CIM service with SaaS Kit, this will be an additional $20/month gateway fee for the credit card storage.
I also recommend you take a look at the API docs of each product. Depending on your integration complexity with Recurly, some merchants never need to work with the API (instead using hosted checkout pages and the admin virtual console inside Recurly), but other merchants will have a more complex billing scenario that involves use of the API. The docs for each product should give you a good idea of how easy they will be to work with.
I'd be happy to answer any questions you have as you continue to look!

Security for Web Apps

I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...
Running the app on Heroku (Ruby on Rails)
Site is encrypted with 256 SSL (with forced SSL turned on)
Cookies are encrypted and we pass the Firesheep test
Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
We do not store any keys or passwords openly in the source code but rather use Config Vars
Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.
Does anyone have any suggestions at all?
Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.
After ruling out the usual suspects (XSS, SQL injection, mass assignment, etc), client side is where most problems come from, and this is often overlooked. I don't know what your site is about, but things like telling your users that they shouldn't follow links on emails they did not explicitly request usually delivers highest bang-for-the-buck.
Best regards,
-- J. Fernandes
I'd recommend checking out the OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
To verify your SSL configuration, you can try https://www.ssllabs.com/ssldb/index.html.
If you're curious about the sheer variety of attacks, check out Jeremiah Grossman's post titled Top Ten Web Hacking Techniques of 2010 and scroll down until you see "The Complete List".
If you want to fire off a few web app vulnerability scans tools to catch the low hanging fruit you can try:
skipfish: http://code.google.com/p/skipfish/ (free)
netsparker community: http://www.mavitunasecurity.com/communityedition/ (free)
look here for more https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/
If you're really concerned about security then adopting a secure development plan and working with someone trained in app security would obviously boost your confidence things are being done right.
Regarding development, you may like the ideas presented in Microsoft's simplified SDL:
"The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development."
"The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals."
Also it is important to note automated vulnerability scan tools fail to identify most logical vulnerabilities so don't rely solely on automated tools. For example (taken from OWASP):
"Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart."
Human intelligence is key to spot logical issues.
Security is also all about maintenance. Assigning someone or a team the responsibility to astutely play continuous defense is important.
Note: Encrypting the passwords doesn't imply infallible security. Dictionary/password lists/brute force attacks work all the time to reveal weak passwords. A very common attack is to use SQL injection to dump the user table (with password hashes) then use a password cracker to discover legitimate user/password pairs.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist, including most of the OWASP Top 10 items.

Cloud-aware programming and help choosing a good framework

How can i write a cloud-aware application? e.g. an application that takes benefit of being deployed on cloud. Is it same as an application that runs or a vps/dedicated server? if not then what are the differences? are there any design changes? What are the procedures that i need to take if i am to migrate an application to cloud-aware?
Also i am about to implement a web application idea which would need features like security, performance, caching, and more importantly free. I have been comparing some frameworks and found that django has least RAM/CPU usage and works great in prefork+threaded mode, but i have also read that django based sites stop to respond with huge load of connections. Other frameworks that i have seen/know are Zend, CakePHP, Lithium/Cake3, CodeIgnitor, Symfony, Ruby on Rails....
So i would leave this to your opinion as well, suggest me a good free framework based on my needs.
Finally thanks for reading the essay ;)
I feel a matrix moment coming on... "what is the cloud? The cloud is all around us, a prison for your program..." (what? the FAQ said bring your sense of humour...)
Ok so seriously, what is the cloud? It depends on the implementation but usual features include scalable computing resource and a charge per cpu-hour, storage area etc. So yes, it is a bit like developing on your VPS/a normal server.
As I understand it, Google App Engine allows you to consume as much as you want. The back-end resource management is done by Google and billed to you and you pay for what you use. I believe there's even a free threshold.
Amazon EC2 exposes an API that actually allows you to add virtual machine instances (someone correct me please if I'm wrong) having pre-configured them, deploy another instance of your web app, talk between private IP ranges if you wish (slicehost definitely allow this). As such, EC2 can allow you to act like a giant load balancer on the front-end passing work off to a whole number of VMs on the back end, or expose all that publicly, take your pick. I'm not sure on the exact detail because I didn't build the system but that's how I understand it.
I have a feeling (but I know least about Azure) that on Azure, resource management is done automatically, for you, by Microsoft, based on what your app uses.
So, in summary, the cloud is different things depending on which particular cloud you choose. EC2 seems to expose an API for managing resource, GAE and Azure appear to be environments which grow and shrink in the background based on your use.
Note: I am aware there are certain constraints developing in GAE, particularly with Java. In a minute, I'll edit in another thread where someone made an excellent comment on one of my posts to this effect.
Edit as promised, see this thread: Cloud Agnostic Architecture?
As for a choice of framework, it really doesn't matter as far as I'm concerned. If you are planning on deploying to one of these platforms you might want to check framework/language availability. I personally have just started Django and love it, having learnt python a while ago, so, in my totally unbiased opinion, use Django. Other developers will probably recommend other things, based on their preferences. What do you know? What are you most comfortable with? What do you like the most? I'd go with that. I chose Django purely because I'm not such a big fan of PHP, I like Python and I was comfortable with the framework when I initially played around with it.
Edit: So how do you write cloud-aware code? You design your software in such a way it fits on one of these architectures. Again, see the cloud-agnostic thread for some really good discussion on ways of doing this. For example, you might talk to some services on GAE which scale. That they are on GAE (example) doesn't really matter, you use loose coupling ideas. In essence, this is just a step up from the web service idea.
Also, another feature of the cloud I forgot to mention is the idea of CDN's being provided for you - some cloud implementations might move your data around the globe to make it more efficient to serve, or just because that's where they've got space. If that's an issue, don't use the cloud.
I cannot answer your question - I'm not experienced in such projects - but I can tell you one thing... both CakePHP and CodeIgniter are designed for PHP4 - in other words: for really old technology. And it seems nothing is going to change in their case. Symfony (especially 2.0 version which is still in heavy beta) is worth considering, but as I said on the very beginning - I can not support this with my own experience.
For designing applications for deployment for the cloud, the main thing to consider if recoverability. If your server is terminated, you may lose all of your data. If you're deploying on Amazon, I'd recommend putting all data that you need persisted onto an Elastic Block Storage (EBS) device. This would be data like user generated content/files, the database files and logs. I also use the EBS snapshot on a 5 day rotation so that's backed up itself. That said, I've had a cloud server up on AWS for over a year without any issues.
As for frameworks, I'm giving Grails a try at the minute and I'm quite enjoying it. Built to be syntactically similar to Rails but runs on the JVM. It means you can take advantage of all the Java goodness, like threading, concurrency and all the great libraries out there to build your web application.

Protecting IP from Overseas Contractor Theft

The nature of our business often has 2-3 remote developers working on a single project (mostly Rails), and each one currently has carte blanche access to source so they can checkout, run, and develop locally.
The problem is any one of them could ship the whole base out the back door. Overseas legal action seems futile.
I'm guessing the best way would be separation of duty type of strategy where a contractor only gets specific portions of code - but how can they run and test the full project?
I'm looking for advice, strategies, or even software solutions to mitigate this risk.
Thanks a ton.
You should really allow only trusted people to handle your family jewels. I can't think of any stronger sign of trust a software company can show than to give someone complete access to their source.
That being said, a few ideas come to mind.
If they're consultants, you should see if you can get some kind of business agreement with an entity in the remote country that can take care of local legal hassles for you. US companies with offices in India do this all the time.
Perhaps you can give access to non-important pieces of the software to the untrusted parties and have them work only on that? The unit testing can be done by them on the pieces but the integ. tests that require the entire system have to be done by you.
It might also be possible for them to use the 'important' parts of the code as a service from a server you provide rather than as modules locally. Admittedly, this requires some reengineering but it might be worth it.
The bottom line is what Stephen said. Low priced off-shore contractors come with certain liabilities. If you're not willing to accept that, you'll have to change your mode of working.
I don't think there's much you can do about it. Either take the risk, or don't use off-shore contractors.
But I'd balance this with an honest assessment of how valuable your code is to you and to a supposedly dishonest contractor. If it is really valuable, then you should be able to afford to take legal action to protect it ... even in a difficult legal environment.
Well, if you don't trust your developers enough to let them work with your code, then don't hire them.
I don't see any way you can meaningfully limit their access to code without seriously impacting their productivity. Even if you could compile some of the code, it's very useful to have access to the full source to understand problems and bugs.
At any rate, you may be overestimating the threat: Most kinds of piracy would be possible even with the binary, and without the infrastructure and customers your company provides, the stolen code is probably not worth much.

Paid support for web-frameworks

This may sound strange but sometimes when your ASP.NET webapp isn't working and you can't tell why, you call Microsoft, pay them something like $300 and get about 1-3 weeks of 1-3 people looking at your configuration, memory dumps, sometimes code... but usually not the db, and with a fairly good percentage they help you fix your mistakes, without necessarily up-selling you.
I found that Novell would like to offer that for Mono. Everyone knows MySQL offers it for their clients, because it was part of the reason they got a truck of money to swing by one day to change the name-plate on the door.
I'm curious if anyone has found people for the support of these, and how they'd rate their experience:
Django
Rails
Grails
JRuby
Mono [ratings]
add your own.
I haven't ever looked for paid support for these open source technologies, but in general I would guess until there is significant market penetration there won't be a business case for 'dial in support' of an app built by a third party.
In general, you'll be looking for a niche technology expert consultant that will probably charge you an hourly rate to look at your problem.
For django - look at djangogigs.com, or post on rentacoder.com I suppose.
Each usually has an irc channel - you could also ask general questions there, or try to find someone for hire.
That niche is typically handled by 2 groups I believe
Software component developers. - I get a lot of my presentation layer support from DevExpress since I use their widgets for my GUIs for instance. In fact, typically I don't use a technology in an official capacity unless I have identified a dependable support channel.
The issue you raise with Microsoft is handle by abstracting your problem before reporting it. That's a common law with most commercial support channels: When an issue involves 2 vendors, they will blame each other! Your job is to first isolate the issue before or during reporting.
It's hard, I know, but that's why you get paid the big bucks :-)
Is to bring in an outside consultant that should be able to study your system and do what we described in part 1 ( above )

Resources