ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » News/Updates » MQ Security Working Group

Post new topic  Reply to topic
 MQ Security Working Group « View previous topic :: View next topic » 
Author Message
T.Rob
PostPosted: Fri Dec 16, 2016 9:47 pm    Post subject: MQ Security Working Group Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

A few of us with deep MQ security interest created a group in the RFE community called, appropriately enough, MQ Security. If this interests you, you can find it here:
https://www.ibm.com/developerworks/rfe/execute?use_case=groupLanding&GROUP_ID=1949

So far we have gone through all the open RFEs and added security-relevant ones to the group watch list. Anyone can join and doing so gives you access to browse, download and subscribe (by email and RSS) to the watchlist. We also created several categories and are in the process of assigning them to the various RFEs. These allow us to group the RFEs by the product to which they refer (i.e. AMS, MFT, MQ, etc.), by the function they perform (authentication, authorization), etc.

The RFE community offers private forums for groups. Ours is not created yet as that requires a request, but I hope to have it active soon. We haven't articulated a specific mission for the group yet, other than that it coalesced around a growing concern over the direction and quality of security features in MQ. Perhaps when the forum is active we can articulate better what it is we'd like to do but I think those of us working on it so far would agree that influencing the product's security features from a deep security perspective is among the goals. Staying on track with Secure By Default is probably another. Assisting in any way possible with the fixing/replacement of CONNAUTH is probably in there too.

In one of the initial discussions I was asked why the EAP is not a better forum for this activity. The primary reason is that many of the SMEs with the deepest MQ security skill work at companies not participating in the EAP. My company consists of exactly one employee and I was able to convince the boss to apply for the EAP so we will have some representation there. But as most of the field expertise is outside the EAP, any organized discussion and RFE curation from that group must take place outside as well. This does not short-circuit the existing mechanisms for early collaboration with IBM, but rather addresses a deficiency in the EAP structure that is common to all crowdsourcing: the underlying assumption of crowdsourcing that the crowd in aggregate will always possess the required skill and availability works best near the top of the Bell Curve. Where niche skills and subjects are concerned, crowdsourcing fails. MQ Security is one such niche skill.

This is also not intended to exclude anyone. In fact, moving the discussions from email to a forum if pretty much the definition of inclusive. If you are thinking "I consider myself among that population of deeply skilled MQ Security SME's" the you should also consider yourself invited to join. The group is set to auto-accept membership requests and is also public.

Another question I received was why not use a forum in IMWUC, MQSeries.net, or dWorks? These are existing and thriving communities and it's a valid question. IBM's RFE community is the best vehicle for collaboration on product development because RFE back-end mechanisms are integrated into IBM's development teams. I don't know to what degree but I do know that integration from other communities into the lab == 0 and integration from the RFE community to the lab > 0. This is the first RFE group out there for MQ as far as I can tell so I don't think we've been using it to its potential and there's no case to host elsewhere until we at least try it out.

I will announce when the community is live. The group and watchlist are live now at:
https://www.ibm.com/developerworks/rfe/execute?use_case=groupLanding&GROUP_ID=1949
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Sat Dec 17, 2016 3:41 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Be careful though and do read an RFE before voting for it.
There are some RFE's in the group that should just be voted down, like the one asking for the removal of the global admin blocK if it had been removed from the original qmgr (change to output of dmpmqcfg)...

This RFE shows as well a complete misunderstanding of the functionality, as there exists today a well documented way to suppress this admin block for specific individual channels and I believe we should stick to that way.

Be secure by default and if you must... open a specific channel for the admins.
(And don't let that be a system channel either!!!) and restrict it with the usual suspects (ip, ssl, etc).
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
T.Rob
PostPosted: Sat Dec 17, 2016 7:26 am    Post subject: Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

Perfect example of the kind of thing curation by specialists would be expected to recognize and correct for. Inclusion in the watch list doesn't signify endorsement, only that an RFE is relevant to security. In some cases the best action would be to vote an RFE down.

Given the strength of the team I'd hope IBM would outright kill an RFE if one was so egregious the team felt that such strong an action was necessary. For example if we ever had the chance to get out in front of something so disastrous as ADOPTCTX(NO).
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
PeterPotkay
PostPosted: Sat Dec 17, 2016 8:57 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

T.Rob wrote:
In some cases the best action would be to vote an RFE down.

Is there a way to do this?


P.S. I added 3 of my RFEs to the group's watchlist this morning.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
T.Rob
PostPosted: Sat Dec 17, 2016 9:33 am    Post subject: Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

Quote:
Is there a way to do this?


Storm the comments section with torches and pitchforks, so far as I can tell. Ideally though the group comes to a consensus in the forum rather than posting conflicting advice in the RFE comments. When, you know, the forum is actually activated.[/code]
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » News/Updates » MQ Security Working Group
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.