5:42 p.m.
Not sure if anyone can share their experiences what kind of test cases on
Drools security should be developed and ensured?
As the rule is just a piece of codes in String format which can be hooked
into JVM, we can assume that might open some holes and necessary security
test cases need to be designed against.
Anyone can share their experiences on this?
Thanks...
--
View this message in context:
http://drools.46999.n3.nabble.com/Security-test-cases-for-Drools-tp349407...
Sent from the Drools: User forum mailing list archive at Nabble.com.
5:52 p.m.
Against external attacks, Drools supports knowledge base signing and
checking using standard asymmetric keys infrastructure. Regarding the web
application, I will let one of the guvnor guys to talk about. Against
internal attacks, i.e., someone deliberately adding a malicious rule into
the application, the only way is through company policies and processes
that ensure a workflow for rule approval. Drools offers audit logs
(runtime) and standard versioning history (in guvnor, authoring time) to
track changes.
Edson
On Wed, Nov 9, 2011 at 11:42 AM, kapokfly <ivan.jiang.ww(a)foxmail.com> wrote:
Not sure if anyone can share their experiences what kind of test
cases on
Drools security should be developed and ensured?
As the rule is just a piece of codes in String format which can be hooked
into JVM, we can assume that might open some holes and necessary security
test cases need to be designed against.
Anyone can share their experiences on this?
Thanks...
--
View this message in context:
http://drools.46999.n3.nabble.com/Security-test-cases-for-Drools-tp349407...
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
--
Edson Tirelli
JBoss Drools Core Development
JBoss by Red Hat @ www.jboss.com
6:10 p.m.
Thanks Edson.
We are developing a web based UI (if possible embed guvnor into our
application) and open the ability to customers to define their own rules, so
a company policy on this won't work.
Will evaluate other concern points and have more discussions on this.
Ivan
--
View this message in context:
http://drools.46999.n3.nabble.com/Security-test-cases-for-Drools-tp349407...
Sent from the Drools: User forum mailing list archive at Nabble.com.
9:48 a.m.
If you are allowing customers to define their own rules then you are effectively allowing
them to execute any arbitrary java statements.
You either need to have someone review and check all their rules before they are applied,
restrict what they can do to the UI to such a level you are sure they can't compromise
it (perhaps DSL might work?), sanatize there input to a whitelist of statements (probably
no eval and very limited in what they can put in the then part, or you could go the whole
hog and setup a java security sandbox and classloaders to place limits on what operations
they can do - though even then you need to design it carefully so they can't modify
any of your application state.
Thomas
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-
bounces(a)lists.jboss.org] On Behalf Of kapokfly
Sent: 09 November 2011 17:10
To: rules-users(a)lists.jboss.org
Subject: Re: [rules-users] Security test cases for Drools
Thanks Edson.
We are developing a web based UI (if possible embed guvnor into our
application) and open the ability to customers to define their own rules, so a
company policy on this won't work.
Will evaluate other concern points and have more discussions on this.
Ivan
--
View this message in context: http://drools.46999.n3.nabble.com/Security-
test-cases-for-Drools-tp3494072p3494170.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
**************************************************************************************
This message is confidential and intended only for the addressee. If you have received
this message in error, please immediately notify the postmaster(a)nds.com and delete it from
your system as well as any copies. The content of e-mails as well as traffic data may be
monitored by NDS for employment and security purposes. To protect the environment please
do not print this e-mail unless necessary.
NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18 4EX, United
Kingdom. A company registered in England and Wales. Registered no. 3080780. VAT no. GB 603
8808 40-00
**************************************************************************************
10:13 a.m.
Thanks Thomas.
We are in the middle to design both the strategy to secure ourselves and the
test cases need to be covered, do you have some kind of references available
for us otherwise we will work out our version.
-----
Ivan, your Panda, forever
--
View this message in context:
http://drools.46999.n3.nabble.com/Security-test-cases-for-Drools-tp349407...
Sent from the Drools: User forum mailing list archive at Nabble.com.
4827
days inactive
4828
days old
4 comments
3 participants
participants (3)
-
Edson Tirelli -
kapokfly -
Swindells, Thomas