OpenAM security is a serious matter, especially when this software has a critical role in your architecture, which is often the case. So here are some advices to avoid OpenAM security holes.

1 – OpenAM lower layers security

To avoid security flaws in your OpenAM based architecture,  you have first to check it’s lower layers security. By OpenAM lower layers I mean mainly the operating system, the Java virtual machine and the web container. You should always keep these components updated with the last security patches. You will find security news and updates in each used component website.

2 – OpenAM security

ForgeRock keeps it’s OpenAM users aware of potential security flaws in their product through this page. You can also get notified of last security advisories by either subscribing their mailing lists, following the rss feed or making sure your customer (in case you are) details are correct in ForgeRock BackStage.

Here are some external resources about old OpenAM flaws and the way an attacker could exploit them :

Andrew Petukhov Youtube Channel :
https://www.youtube.com/user/int3rnalsecurity/videos

ZeroNights 2012 presentation :

3 – Securing OpenAM in production

The last (but not least) advice is securing OpenAM in production deployments. To do so, you can follow the OpenAM best practices guide. It shows, among others, how to protect network access and secure administration and communication.

 

Daly

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Daly

Les derniers articles par Daly (tout voir)