►
From YouTube: OpenShift Commons Briefing #54: DevSecOps: Security Injection with SecurePaaS on OpenShift
Description
DevSecOps: Security Injection with SecurePaaS on OpenShift with Shadow-Soft's Derrick Sutherland
In this Briefing, Derrick Sutherland of Shadow-Soft will address cyber security concerns in a DevOps world and demonstrate how using SecurePaaS on OpenShift automatically and without developer intervention, introspects, federates, and injects identity, authentication, authorization, & auditing (IAAA) into an application’s source code, uniquely protecting IT assets. Learn more at http://securepaas.com/
A
A
Well,
hello,
everybody
and
welcome
again
to
another
open
ship
Commons
briefing
one
week
after
the
open
ship
comes
gathering
in
Seattle,
so
we're
glad
you've
all
joined
back
and
are
ready
for
another
one.
Today
we're
going
to
talk
about
dev,
sec,
ops,
it's
another
acronym,
but
hey
security
injection
with
secure
cut
on
pause
on
openshift,
with
shadow
soft
Eric
Sutherland
who's
going
to
talk
about
some
cyber
security
concerns
and
how
to
address
those
in
the
DevOps
world.
A
We
all
live
in
now
and
demonstrate
how
using
secure
claws
the
shadow
soft
offering
can
help
on
a
clean
ship
so
without
too
much
further
ado
I'm
going
to
let
you
all
introduce
yourselves
over
there
Derek
and
if
you
have
questions
post
them
into
the
chat,
will
try
and
answer
them
online
and
then
once
Derek
is
done
with
his
presentation
and
demo,
we'll
open
it
up
for
Q&A.
So
thank
you
all
for
joining
us
again
and
there
take
it
away.
Thank.
B
You
Diane
hi
guys
my
name
is
Derek
Sutherland
I
am
an
engineer
and
solution
architect
here
at
shadow,
soft
I
have
helped
lead
in
co,
develop
in
a
lot
of
ways,
secure
paths
from
kind
of
the
ground
up.
What
we're
going
to
be
talking
about
today
is
the
idea
of
incorporating
automated
security
into
a
DevOps
lifecycle.
B
B
B
We
have
offices
currently
in
Atlanta,
Georgia
reston
virginia
and
we
service
a
lot
of
the
southeast,
but
we
also
do
work
across
the
entire
US
and
we're
starting
to
do
some
work
as
well.
In
Canada,
our
work
has
led
us
to
have
multiple
alkylate
or
accolades
from
partner
of
the
year
catalyst
partner
of
the
year
I'm
a
middleware
partner
of
the
year
from
Red
Hat's
perspective.
We've
been
puppets
public
sector
partner
of
year.
B
We
were
a
doctor
foundation
partner,
we've
been
to
commercially
and
published
at
their
partner
of
the
year
for
red
hat,
so
we've
won
a
couple
of
accolades
from
doing
different
things.
Our
company
really
specializes
in
different
tools
that
exist
throughout
the
entire
software
development
lifecycle.
You
know
cloud
infrastructure,
cybersecurity,
big
data.
B
We
try
and
focus
a
lot
on
automation
and
helping
our
customers
get
to
market
faster,
cheaper,
more
lean,
trying
to
help
them
adopt
better
practices
within
their
organization
learning
how
to
take
advantage
of
a
lot
of
new
technologies
that
are
out
there,
and
you
know
for
real
all
intensive
purposes
where
we
really
found
our
bread
and
butter
was
trying
to
help
customers
see
the
value
in
open
source
products
for
a
long
time
when
the
company
was
first
found
that
it
was
founded
on
the
idea
of
really
evangelizing
open
source,
since
at
the
time
at
least
the
open
source
really
wasn't
talked
about
from
an
enterprise
perspective.
B
All
that
much
obviously
now
in
the
last
couple
of
years
has
drastically
changed
and
that's
we
find
that's
for
the
better.
It's
helped
drive
down
the
cost
to
do
business
and
it's
helped
us.
You
know
help
our
customers
do
things
better
and
drive
down
cost
of
products
to
you
know
different
customers
of
heirs.
B
Over
the
years,
we've
transitioned
from
things
like
punch
cards
to
you,
know
the
adoption
eventually
of
in
creation
of
virtualization
of
hardware,
and
even
when
we
started
to
get
a
little
bit
faster
back
in
the
90s,
we
still
being
held
up
a
lot
in
our
processing
from
the
inception
of
how
do
we
acquire
hardware
to
setting
it
up
to
getting
operations
patch
and
installed
manually?
Creating
users
accounts.
It
was
a
really
tedious
and
long
process
and
for
some
organizations
it
still
is
virtualization
helps
that
a
little
bit,
but
it
really
just
made
it.
B
So
we
had
to
get
hardware
less
often,
but
we
still
had
to
handle
a
lot
of
the
hardware
aspect,
ourselves
or
DevOps,
and
really
automation,
tools
from
infrastructure
as
a
service
to
configuration
management
has
led
us
is
to
environments
where
we
can
more
streamline
the
process
of
how
quickly
we
can
get
a
teammate
or
a
customer
up
and
running
inside
of
their
environment.
It's
a
very
few
short
steps
rather
than
having
to
go
through
the
process
of
building
out
all
these
individual
things.
B
Each
time
we
want
to
do
this,
so
Dobson's
really
helped
us
lean
in
that
direction.
Across
the
oppositely
automation,
tools
is
really
led
to
the
development
and
creation,
as
well
as
adoption
of
different
product
categories.
I'm
sure,
a
lot
of
you
guys
are
familiar
with
ansible
with
you
know
assure
with
AWS,
with
docker
jenkins
tools
like
that
we
have
tools
that
are
kind
of
existing
in
different
areas
and
in
a
lot
of
ways.
Devops
is
starting
to
lead
to
these
different
competitors
and
companies
forming
together
to
start
branching
across
these
categories.
B
Traditional
configuration
management
tools
are
now
also
trying
to
do
things
like
see.
I
CD
on
the
trying
to
get
involved
in
test
automation,
and
we
at
shadow
soft-
and
you
know
a
lot
of
us
practices-
are
really
about
bringing
all
these
tools
the
other
to
make
them
as
clean
and
efficient
as
humanly
possible.
The
one
area
that
really
hasn't
been
talked
about
all
that
much
and
it's
really
just
starting
to
be
talked
about,
though,
is
cybersecurity.
How
does
the
practice
of
DevOps
affect
our
security
footprint?
B
How
does
it
affect
how
we
integrate
our
tools
and
how
we
should
be
mitigating
risk
inside
of
our
environment?
Does
it
create
more
risk
to
create
less
risk?
How
can
we
best
optimize
ourselves,
so
the
problem
space
has
really
started
to
grow
from
a
cyber
securities
perspective,
we've
obviously
seen
how
the
news
have
been
broadcasting
this
from
cyberattacks
against
major
companies
such
as
sony
home
depot
and
the
likes.
B
I'm
different
types
of
attack,
vectors
from
internal
threat
to
outsider
threat,
from
what
applications
to
databases,
and
it's
really
because
as
we're
working
towards
the
idea
of
automating
and
simplification
of
our
development
processes,
we
feel
that
in
part,
that's
taking
us
a
little
bit
away
from
best
practices
around
cyber
security.
It's
making
us
sometimes
try
and
get
something
out
the
door
really
really
fast,
without
necessarily
doing
all
the
testing
and
remediation
that
we
really
need
to
accomplish
before
releasing
a
product
at
times.
So
what
does
that
mean?
B
So
today,
if
you're
an
organization
and
you're
implementing
DevOps
practices,
you
know
you're
spending
a
lot
more
time
coding
a
less
time
deploying
and
trying
to
get
your
code
running.
Obviously,
but
if
you're
taking
security
in
mind,
you
might
still
be
spending
between
you
know
25
and
35
percent
of
your
time.
Just
on
cyber
security.
Most
organizations
are,
you
know
they
can't
slow
down
that
much
so
they're
skipping
over
this
problem,
which
is
leading
their
customers,
obviously
to
be
vulnerable
and
themselves.
B
So
what
a
secure
pass
secure
Paz
is
not
to
be
confused
with
a
platform
as
a
service.
We
are
a
security
platform
acting
as
a
service.
What
we
provide
is
a
security
framework
that
offers
management
capabilities
automatically,
injected
authentication
authorization
and
auditing
controls
for
micro
service
based
systems.
Now
cyber
security
covers
a
whole
slew
of
things.
B
Obviously,
there's
not
really
one
category,
but
we
feel
this
is
a
big
category
that
needs
to
be
tackled
in
the
near
term
as
we've
kind
of
seen,
cyber
threats
grow
we're
seeing
more
and
more
people
attack
web
applications
and
web
services.
Why?
Because
you
can
put
up
all
the
firewalls
you
want
in
the
world,
you
can
put
up
intrusion
detection
systems,
but
at
the
end
of
the
day,
your
web
applications
are
going
to
face
the
internet
and
they're
going
to
be
a
direct
link
between
an
attacker
and
your
customers
data.
B
So
we're
really
about
trying
to
figure
out
what's
new
unique
ways,
we
can
automate
the
injection
of
cyber
security
controls
into
our
web
applications
in
a
DevOps
life
clinical.
How
do
we
do
that?
Well,
for
those
you
may
be
familiar
with
APM
tools
like
me,
relic
or
appdynamics
things
like
this.
We've
built
a
an
auto
injection
agent,
specifically
that's
enabled
for
java.
At
this
point,
we're
looking
to
conquer
dotnet
as
well
as
other
languages
in
the
near-term
future.
B
We
are
I'm
already
very
far
down
the
dotnet
pipeline
and
hopefully
we'll
be
releasing
something
in
the
next
coming
months,
but
our
agent
attaches
to
a
JVM
at
runtime.
It
auto
detects
any
apps
or
services
that
might
get
deployed,
as
well
as
clients
in
client,
libraries
and
when
it
sees
those
things
getting
deployed,
it
modifies
the
code
at
runtime,
meaning
we're
not.
We
don't
need
access
to
the
source
code
of
the
bits
we
can
access.
You
know
the
bytecode
when
it's
being
deployed
inside
of
a
JVM
and
make
the
changes
as
it's
necessary.
B
What
this
allows
us
to
do
is
it
allows
us
to
make
changes
to
your
applications
and
services
in
seconds
rather
than
you
know,
weeks
or
months,
and
having
to
go
through
deep
integration
processes.
This
integration,
application
agent
talks
up
to
our
master
server,
which
has
a
single
sign-on
portal
in
audit
collection
system.
It
has
a
server
info
collector
to
give
us
information
about
what
apps
and
services
are
deployed.
So
we
can
write
policies
appropriately.
B
It
has
a
global
leaf,
shared
access,
control,
point,
a
management
dashboard
and
then
a
user
store,
that's
based
on
ldap,
so
you
can
talk
to
Active
Directory
openldap,
your
own
ldap
store
outside
of
that
or
you
can
just
use
the
one
that's
pre
provided
in
the
system
now
in
regards
to
open
shift.
Open
shift
leads
you
to
be
able
to
take
leverage
of
a
lot
of
these
capabilities,
you're,
getting
speed
to
market
a
lot
faster,
obviously
to
the
caveat
and
the
adoption
of
something
as
a
platform
as
a
service.
B
We're
secure
path
lies
in
places
that
we
can
actually
deliver
ourselves
as
a
docker
container
inside
of
open
shift
and
then
be
able
to
quickly
patch.
Your
different
applications
that
are
getting
deployed
inside
of
your
environment
quickly
and
easily.
So
what
this
gives
you
is
about,
you
know
a
massive
inclination
of
how
quickly
can
we
get
yourself
to
market?
How
quickly
can
we
start
operating
with
a
security
lifecycle
management
inside
of
your
DevOps
or
your
platform
as
a
service
type
environment?
B
It
gives
you
that
seamless,
single
pane
of
glass
that
allows
you
to
monitor
all
of
your
apps
deployed
with
inside
of
open
chef
with
that
this
is
easily
installable.
As
I
said,
we
can
be
deployed
inside
of
open
shift.
That's
typically
the
easiest
way
to
do
it,
but
if
you're
not
an
open
shift
customer
today
and
you're
considering
open
shift,
we
also
have
pre-built
docker
containers
and
also
this
is
leverage
abul
via
configuration
management
for
deploying
the
agents
as
well.
B
B
You
guys
can
go
to
our
website
at
secure,
pass.
Calm.
Click
on
test
drive
enter
test
drive
and
as
long
as
you
sign
up
with
an
account
with
us
which
is
free,
you
can
do
that
at
any
time.
You
can
spin
up
an
instance
of
secure
pass
to
try
out
for
a
few
hours.
It
has
a
technical
guide
that
goes
along
with
it,
and
so
you
can
try
this
at
home
and
see
how
you
like
it.
B
If
you
have
any
questions,
you
can
feel
free
to
email
me
and
if
you
have
any
questions
for
the
environment,
I
will
gladly
answer
them
after
we
start,
you
know
getting
a
little
bit
into
the
details
of
the
demo,
so
you
guys
can
see
how
it
works
and
maybe
pose
any
questions.
That
might
you
know,
lead
your
curiosity
so
with
that
I'm
going
to
start
with
the
demonstration
I've
already
spun
up
a
test
drive
instance.
So
this
is
a
lot.
B
What
you
guys
would
be
looking
at
if
you
use
our
test,
drive
specifically
may
just
grab
the
URLs
and
passwords
and
things
okay.
B
Okay,
so
first
we're
going
to
be
looking
at,
is
our
administrative
console
right
now,
it's
deployed
in
AWS
when
you
log
into
you
any
application
or
any
web
service
or
the
management
console
itself
instead
of
secure
pass
you'll
be
prompted
with
this
login
screen.
This
can
be
configured
rather
easily.
It's
just
some
HTML
and
CSS.
You
can
change
on
your
own,
so
I'm,
going
to
log
in
with
me,
username
and
password.
That's
auto-generated
with
my
environment.
B
He's
going
to
bring
us
to
our
management
console
screen
and
our
management
console
screen
allows
us
to
be
able
to
control
users
and
roles
that
are
built
into
ldap.
You
can
view
audit
records
for
who's
done
what
inside
of
the
environment,
and
you
can
really
quickly
and
easily
start
integrating
different
application
servers
into
the
environment
as
well.
To
do
that,
you'd
go
to
system
integration
and
you're
going
to
type
in
the
name
of
an
app
server.
That's
out
there
to
be
deployed,
and
some
kind
of
unique
identifier
to
say
this
is
what
this
does
so.
B
For
example,
we
have
a
demo
application
server
that
come
to
our
test,
drive
I'm,
going
to
open
that
real
quick.
This
is
just
a
random
web,
app
that
we've
built
it
has
no
code
references
to
secure
pass
whatsoever.
You
can
actually
download
this
demo
app
off
of
Aiden's
website.
Baton
is
a
java
web
framework
for
those
you
aren't
familiar,
we
pretty
much
downloaded
it
from
them.
You'll
notice,
it
says,
welcome
guest
doesn't
have
any
context.
Is
that
who
we
are,
though,
there's
some
information
on
this
screen?
B
We
have
some
data
points
that
are
located,
for
you
know
different
parking
tickets
associated
with
this
demo.
We
have
some
shift
information
regarding
what
people
have
been
recording.
What
dating
times
have
been
working
notice,
the
different
areas
that
are
displayed
from
a
B
and
C,
and
we
have
some
statistics
that
are
up
here
as
well.
You
don't
really
need
to
understand
the
data
that's
on
here,
since
this
is
just
a
demo
application.
B
B
B
Now,
to
get
an
agent
for
this
server,
you
can
either
call
our
REST
API
to
grab
it
or
you
can
grab
this
link
right
here
and
click
on
this
download
button.
This
is
going
to
automatically
generate
an
agent
for
us.
That's
meant
for
secure
pass
I'm
going
to
hit
save
now.
This
saves
the
server
into
our
list,
which
obviously
the
the
application
server
doesn't
know
anything
about
this
system
and
that's
because
our
agent
hasn't
been
deployed
in
that
environment.
B
Okay,
so
now
we're
logged
into
our
box.
It
looks
like
our
agent
finished
downloading
I'm
going
to
believe
this
maximize.
For
now,
let's
open
up
a1
SCP
instance,
you
could
use
regular
SCP,
obviously,
during
this
step,
and
what
we're
going
to
do
here
is
I'm
going
to
copy
that
agent
over
on
to
this
box,
so
we
can
start
making
changes.
Let's
look
back
at
my
host
name
again.
B
Now,
if
you
wanted
to
obviously
an
open
shift,
you
could
push
this
and
change
it
out
pretty
easily
by
using
our
different
configuration
for
your
jboss
instance.
You
can
use
a
configuration
management
instance
for
pushing
this
out.
It's
kind
of
up
to
you
how
you
want
to
deploy
the
agent
itself
the
purposes
of
this
demo.
It
makes
it
very
easy,
though,
to
just
do
it
this
way.
So
the
first
thing
I'm
going
to
do
is
go
to
my
downloads
folder,
where
the
agent
was
downloaded.
B
Now,
to
get
this
agent
working
on
this
box
is
rather
simple,
so
we're
going
to
go
on
to
this
host
and
if
I
LS
here,
we'll
see
they're
as
the
agent
that
I
just
copied.
The
first
thing
I'm
going
to
do
is
change
the
route
we're
going
to
be
modifying
permissions
and
things
I'm
going
to
unzip
this
agent
and
I'm
going
to
unzip
it
to
opt
agent.
B
You
can
put
it
wherever
you
want
on
the
box,
but
this
is
just
where
I'm
going
to
be
putting
it
your
destination,
I
back,
ok,
now
I'm
going
to
change
the
permissions
on
this,
so
it
matches
our
jboss
instance.
In
this
case
its
users
jboss
and
creepy
jboss.
B
B
So
what
I'm
going
to
do
is
I'm
going
to
reference
the
Java
agent
that
we're
going
to
be
using
in
our
environment,
so
I
said
the
Java
ops
equal
to
our
Java
agent,
which
is
included
in
our
package
and
specified
our
secure
pass.
Configuration
was
at
the
same
directory.
That
configuration
tells
it
essentially
where
to
talk
to
what
secure
pass
system.
It
should
be
talking
to
you
what
classes.
It
should
include
things
like
that.
B
So
at
this
point,
I'm
going
to
restart
my
wildfly
instance
or
my
jboss
instance,
depending
on
what
it
is
you're
running,
we
currently
support
any
day
to
eat
container,
so
anything
will
work
as
long
as
you're
running
JDK,
16
or
later.
That
is
ok.
So
now
our
system
is
starting
back
up.
This
is
going
to
take
a
few
moments.
In
the
meantime,
we
can
go
look
at
our
logs
and
see
if
we
can
see
in
changes
occurring
twice
yet,
let's
zoom
down
to.
B
We
can
see
actually
the
agents
attached
here
on
this
line
and
that's
going
to
start
making
changes
throughout
our
subsystems,
while
it's
being
deployed
we're
currently
in
your
blood
rodents,
you'll
notice
that
it
says
attempting
to
load-
and
it
specifies
these
different
jar
files
that
are
from
our
agents
as
it
goes
through,
it
will
detect
different
apps
that
are
being
deployed
and
then
launch
them
appropriately.
So
if
we
go
back
to
our
web
browser
you'll
now
notice,
it
says
hey.
B
This
is
a
JBoss
server
that
I'm
working
with
and
if
I
go
back
to
this
application
and
hit
refresh,
it's
actually
going
to
block
me
from
having
access
and
that's
because
I
don't
have
a
any
policies
written
to
ask
this
server.
This
might
take
a
few
seconds
on
the
first
go
around
because
the
changes
are
still
being
applied.
In
the
meantime,
we
can
go,
look
at
our
application
and
see.
B
Oh,
it
looks
like
we
have
a
couple
of
different
app
servers
or
apps
that
are
to
put
on
the
SAP
server,
so
it
auto
detected
these
war
files,
as
I
said,
we'll
see
an
access
denied
load
on
the
page,
but
make
note
of
the
app
we're
trying
to
access
in
this
case,
which
is
polished
demo.
So
we
go
back
to
our
list.
The
war
file
we're
looking
at
actually
is
this
war
file.
If
you've
deployed
any
ears
in
your
environment
and
each
jars
that
applications
are
things
you'll
see
those
here
as
well.
B
It
automatically
grabs,
let's
to
the
servlet
container
through
nothing.
That's
you
know
specific
to
this
environment,
just
using
the
j2ee
spec.
So
if
I
want
to
start
grinning
access
back
to
this,
what
I'm
going
to
do
is
I'm
going
to
click
on
polish
demo
and
I'm
going
to
look
at
the
main
servlet,
which
is
/
star.
We
could
add
our
own
custom
configurations
if
we
wanted
to
add
things
like
picture
files
or
javascript
files
or
individual
page
markers,
but
/
star
refers
to
everything
inside
of
yours.
B
We're
going
to
use
that
I
apologize
for
the
resolution
issues
at
this
point
guys
as
well.
It's
just
I
have
a
very
small
screen
that
I'm
working
with
so
bear
that
with
me.
So
what
I'm
going
to
do
is
I'm
going
to
select
the
method
that
I
want
to
try
and
grant
access
for
now.
These
are
methods
refer
to
ACP
methods.
If
it's
a
web
app,
if
it's
a
soap
service,
it's
going
to
show
you
the
soap
methods
that
are
currently
attached
to
that
system.
B
If
it's
a
rest
service
and
you're
going
to
see
HD
peanuts
again,
because
this
application
is
vaden
based,
it's
very
chatty
on
rest,
so
we're
gonna
be
using
get
and
post
methods,
so
I'm
gonna
grant
access
a
speed.
Yet
nice
resolution
is
bogging.
Me
again,
hang
on
me
move
this
here
for
a
second
Derek.
B
B
I
can
make
this
a
date
time-based
permission
I'm
just
going
to
do
user
base
for
the
purposes
of
this
demo,
but
you
could
set
it
based
on
whatever
parameters
you
like
or
step
through
that
again
and
at
the
review
page
we'll
see
hey
this
is
the
method
can
be
writing
it,
for
this
is
the
user.
The
ID
for
this
policy
is
gonna,
be
randomly
generated.
B
B
Alright,
so
now
that's
been
completed,
we
see
HP
get
needs
to
be
post,
I'm
gonna
hit
refresh
PDP
cash,
and
what
this
does
is
we
optimize
our
environment
to
not
constantly
have
our
agents
making
web
requests
to
look
at
policies?
So
what
happens?
Is
our
agents
pull
once
a
minute?
The
latest
policy?
And
if
there's
been
no
policy
changes,
it
keeps
the
most
optimized
version
of
the
policy
by
hitting
refresh
PDP
cash,
we're
essentially
alerting
the
agent
the
next
time
you
check
in
to
pull
the
latest
version
of
our
authorization
cash.
B
So
after
that
happens
typically
about
a
mint
within
a
minute.
If
you
could
be
a
little
bit,
less
can
be
a
little
bit
more
depending
on
what
your
configuration
is.
You'll
see
the
changes
apply
on
this
server
so
I'll
hit
refresh.
Now,
hopefully
it
supplied
it
has
you'll
notice.
This
house
is
welcome
admin
because
it's
pulled
that
username
from
the
java
acp
user
principal
again,
which
is
not
specify
I
through
secure
passcode.
B
If
you
go
back
to
these
incident
pages,
though,
you
should
notice
that
all
these
data
points
are
still
here
and
that's
because
we
haven't
actually
added
an
agent
on
to
the
back
end
web
service.
It's
applying
this
information
that
back
end
web
service
is
located
at
I'll.
Pull
this
up
real
quick.
B
This
URL,
now
it
automatically
direct
spirits,
is
not
found
because
this
is
a
soap
web
service
and
a
rest,
webservice
and
I'm
not
making
any
real
regular
requests
on
this.
So
it's
not
going
to
give
me
any
visual
data
here.
This
is
the
the
web
server
where
our
soap
and
rest
web
services
are
going
to
be
hosted.
I
noticed,
there's
a
question,
so
let
me
just
look
to
see
if
I
can
answer
that
quickly,
if
not
I'll
hold
it
till
the
end
real
fast.
So,
let's
just
check
on
it.
Uh-Huh.
B
B
B
C
C
B
B
All
right,
so,
let's
do
let
me
get
last
time.
Let's
go
look
and
see
what
changes
that
are
actually
emanated
right
now
and
if
we
look
down
you
can
actually
see
when
it
recognizes
Andrey
service,
so
you'll
notice,
it'll,
say:
hey
I
detected
a
jax-rs
or
which
is
essentially
a
rest
webservice
implementation.
So
it
injects
our
cap
servlet
for
controlling
that
that
application
access
you'll
see
that
happening
kind
of
all
over
the
place.
B
You
cannot
to
disable
that
functionality
of
just
seeing
all
those
changes
in
debug
mode
and
now
we're
going
to
go
back
to
hear
it
changed
back
to
demo.
So
we
can
now
see
that
it's
a
JBoss
instance.
We
see
both
our
rest
and
soap
services
and,
if
I
go
here
and
hit
refresh
on
all
these
pages,
you're
going
to
notice
all
the
data
disappearing
and
that's
because
all
this
data,
just
like
with
this
web
application,
is
now
being
blocked
access.
B
So
we
have
two
granule
e
grant
access
to
all
these
applications
and
web
services
as
well
so
I'm
going
to
click
on
soap,
because
I
think
soap
is
a
lot.
It's
pretty
interesting
to
be
able
to
see
the
individual
soap
methods
show
up,
specifically
we're
going
to
be
looking
at
the
shift
web
service.
There's
some
other
web
services
that
in
here
I
chart,
maybe
marine
or
and
so
on
and
so
forth.
B
With
that
I'm
going
to
go
out
a
new
permission
and
this
time
we're
going
to
see
the
soap
method
show
up
these
soap
methods
are
associated
with
the
different
data
fields.
We
saw
on
the
shift
screen
I'm
going
to
grant
access
to
just
the
a
shift
I'm
going
to
do
the
same
thing
as
last
time
going
to
make
it
user
base
rather
than
role-based
I
could
make
it
rolls
or
I
could
make
a
daytime,
though,
as
well.
B
B
Now
that
I
made
that
permission,
let's
go
ahead
and
also
make
a
rest,
webservice
change
as
well.
Now,
because
this
application,
the
rest
webservice,
is
built
with
rest
easy,
it
doesn't
outline
all
the
rest
URL,
so
I
have
to
add
them
custom,
which
is
actually
extremely
easy.
What
I'm
going
to
do
is
at
this
plus
sign,
say
from
the
you
the
root
URL.
I
know
I
have
a
rest,
webservice
name
to
a
tickets,
there's
also
be
tickets
and
see
tickets,
but
I'm
just
going
to
do
it
for
a
tickets.
B
A
I'll
read
it
up
to
you
here
are
be
graded
on
Jonathan's
asking
what
he,
what
you
have
shown
us
so
far
seems
to
focus
on
denying
access
to
end
points
by
default.
What
other
security
controls
can
you
implement?
For
example,
can
you
automatically
redirect
to
a
third-party
authentication
page
you
can
j/ki
closure
or
to
service
than
someone
accesses
the
service
endpoint?
It's.
B
A
good
question,
so
our
system
is
built
with
sam'l
in
mind.
Our
identity
provider
provides
multiple
types
of
access
control,
so
you
can
use
things
like
to
factor
from
you
and
to
ASL.
You
can
use
OAuth
or
open
ID
connect
for
login
mechanisms
for
the
login
portal
itself.
If
you
wanted
to
direct
the
login,
do
something
completely
different
than
the
identity
provider
that
we
provide
in
package.
B
You
can
have
it
point
to
another
sam'l
based
identity
provider
and
use
that
for
your
authentication
mechanism,
if
it
was
something
in
regards
to
using
no
auth
to
service
provider
that
you
wanted
to
use
and
have
again
no
correlation
to
our
secure
passage,
any
provider,
that's
something
we
could
talk
to
you
about
offline,
and
maybe
we
can
build
out
a
custom
implementation
for
you.
We're
our
company
is
all
about
open
source.
We
want
to
help
everyone
adopt
and
use
the
technology
as
best
as
humanly
possible.
B
So
is
it
possible
with
the
way
it's
built
today
to
point
to
a
third-party
authentication
page?
No,
but
our
current
identity
provider
does
provide
the
ability
to
use
third-party
authentication
mechanisms
outside
of
just
the
ldap
authentication
mechanism.
We
provide
out
of
the
box.
Does
that
make
sense?
Does
that
help
answer
your
question?
Jonathan.
B
Great
okay,
so
now
that
I've
created
that
get
policy,
I'm
sorry
I
haven't
finished,
creating
it
was
in
the
middle
of
doing
it.
Let
me
finish:
creating
that
Riddler
quickly,
I'm
going
to
just
like
before
refresh
my
PDP
cash
and
I'm,
going
to
give
it
a
minute
to
update.
So
that
way
we
can
see
the
actual
page.
Now
I
must
have
accidentally
closed
out.
My
web
app,
not
a
big
deal,
go.
B
Go
to
recent
incidences
and
see
if
we
got
any
different
data
now,
as
I
said,
this
takes
about
a
minute
to
update,
so
it
might
not
have
been
updated.
Yet
we
will
find
out
shortly.
It's
still
loading
so
wait
and
see.
In
the
meantime,
I
will
bring
us
to
the
auditing
page
and
our
audits
are
relatively
close
to
real
time,
they're
about
a
minute
and
discrepancy,
but
you
can
get
pretty
fine
granular
with
this.
You
can
look
at
what
changes
have
been
made
inside
of
the
management
interface.
B
B
If
I
wanted
to
look
at
a
given
web
server
such
as
a
tickets,
we
can
see
when
someone
was
denied
access
to
it.
When
someone
successfully
logged
into
it,
you
can
kind
of
get
a
pretty
good
instance
of
who
is
doing
what,
when
out
of
the
box,
we
are
only
showing
the
last
five
minutes,
but
you
can
dig
down
as
far
back
as
a
year.
B
If
you
wanted
to
granted
them
the
further
back
you
look,
the
more
memory
has
to
be
process
inside
of
your
browser,
so
be
aware
of
those
types
of
changes,
but
it
is
very
fluid
in
that
regard.
Let's
go
back
here
and
try
it
refresh
and
see
and
yet
sure
enough.
Here's
our
new
data,
that's
showing
up
on
that
they
go
to
here
and
hit
refresh.
We
can
now
see
all
the
people
who
have
made
service
tickets
that
are
located
in
the
a
zone,
not
the
B
or
Z
cell.
B
No,
because
we
haven't
granted
access
to
those
and
the
same
occurs
on
here,
we
can
see
all
the
a
ticket
references,
but
not
the
DRC's.
If
we
wanted
to
add
the
ability
to
be
able
to
submit
a
ticket,
we
can
change,
update
permissions
to
allow
for
post
and
put,
and
that
would
allow
us
to
submit
new
tickets
as
well
with
that.
B
That's
pretty
much
the
end
of
the
presentation
of
what
we
can
do
out
of
the
box
today,
we're
also,
as
I
said,
in
the
process
of
making
this
work
for
dotnet
and
we're
going
to
be
including
features
such
as
cross-site
scripting
prevention,
as
well
as
sequel
injection
prevention
in
future.
Iterations
of
this
does
anybody
have
any
questions
for
us
regarding
where
our
roadmap
is
any
questions
around
how
how
they
can
use
it
or
thoughts
in
mind
for
where
they'd
like
to
see
this
be
used
in
the
future.
A
B
I,
can
you
do
that?
So
let's
do
that
real,
quick!
If
you
want
to
try
out
the
test,
drive
yourself
and
go
through
and
see
all
the
different
changes
you
can
make
to
this
go
to
secure,
pass,
calm
click,
the
touch,
drive
button
and
sign
up
for
a
test
drive
with
us.
It's
really
really
really
simple.
If
you
want
to
contact
us
about
secure
pass,
you
can
go
into
a
contact
page
of
secure
paths
and
send
your
information
here.
You
can
contact
me
directly.
B
My
email
address
is
d
sutherland
at
shadow,
hyphen,
softcom
and
and
if
you're
interested
in
more
of
the
stuff
that
we
do
as
a
company
and
all
the
services
we
can
provide
for
you,
you
can
go
to
shadow
softcom
and
view
all
the
different
stuff
that
we
have
up
here
and
contact
us
from
our
contact
page
as
well.
A
A
I'm
looking
for
people
who
want
to
raise
your
hand
so
we'll
also
pop
over,
and
if
you
want
to
join
the
open
ship,
commerce,
dot
slack
channel
and
you
can
follow
up
there
and
if
you're,
not
a
commons
member,
yet
just
drop
me
a
line
d
Mueller
at
redhat.com
and
I
will
sign
you
up
and
get
you
in
there,
but
thanks
again,
Derek
for
taking
the
time
to
do
the
briefing
today
and
we're
really
happy
to
have
SAT
us
off
as
part
of
them.
The
open
shift
Commons
community.