Blog

FedRAMP update, CentOS is out!

FedRAMP update, CentOS is out!

The recent changes with CentOS has caused FedRAMP to look a little more closely at CentOS. In particular, anyone leveraging the RHEL FIPS validation with CentOS will be declared invalid. It looks like I’m a bit late on posting this. I was informed by a commenter on another post of mine. If you’re in a really tight bind, maybe you could try to leverage openssl(?). But overall, my thoughts are that the JAB is now strictly following which operating systems…

Read More Read More

Terraform AWS FIPS provider

Terraform AWS FIPS provider

Hey readers, I notice a lot of traffic going to my post on CentOS FIPS mode and felt like you guys would like to hear about the Terraform AWS FIPS provider. If that sounds up your ally, keep reading, this will be very helpful. Why use Terraform AWS FIPS? If you’re working with the federal government you will need to meet FIPS 140-2 requirements. These are validated encryption modules meeting the FIPS 140-2 standards and tested to meet those standards….

Read More Read More

IaC Patterns – keep things clean

IaC Patterns – keep things clean

You’ve heard of Infrastructure as Code (IaC) but have you heard of IaC Patterns? A lot of people are jumping on Terraform and Cloudformation to deploy their applications and infrastructure. If you’re reading this than I’m pretty sure you’re one of those people. But, how do you know when you’re doing things right? I’m going to give a brief intro on what I mean by IaC patterns and then give some high level details on patterns that work. Everyone should…

Read More Read More

FedRAMP – The Basics

FedRAMP – The Basics

Since you are reading this article I’m going to assume you are going through, or about to go through, a FedRAMP audit. If you’re looking to get a FedRAMP ATO (Authority to Operate) this is the article to start with. If you’re already in-process you can probably skip this, but there may be some reassuring and good information to have, so I’d recommend you still give it a read. I’m going to try to sprinkle in important acronyms related to…

Read More Read More

Vendor Lock-in on the Cloud

Vendor Lock-in on the Cloud

I see a lot of talk online about avoiding cloud vendor lock-in. I used to buy into this axiom as well and for some cases that might be prudent. But, if you’re looking to save money, leverage vendor security controls for compliance, and increase development velocity , vendor lock-in shouldn’t be so worrisome. The big cloud vendors offer value far past simple compute and storage. Most companies rely on AWS or Azure for services that a simple VPS provider could…

Read More Read More

Terraform vs Config Management

Terraform vs Config Management

I see a lot of confusion online about using terraform. I usually see this confusion when configuration management is brought up as well. There are a lot of “how do I use terraform with ansible/puppet/chef/salt” and other questions surrounding these two tools. I decided to throw together a quick outline on what Terraform is, what configuration management is, and how you can use these two together if you need to. Terraform Terraform is an infrastructure as code (IaC) orchestration tool….

Read More Read More

Java Mapping Utils – Orika vs Dozer

Java Mapping Utils – Orika vs Dozer

Java Mapping Mapping between objects shouldn’t be anything new to you if you’re on this page. In enterprise development you often will have to map between DTOs, domain models, and data models. For the past 5 years or so I’ve been pretty content with dozer. I inject a DozerBeanMapper instance where I need it and map pretty easily between different objects. I mostly stick to convention over configuration, so I don’t have a bunch of xml or java code specifically…

Read More Read More

Decoupling Quartz from a web-app

Decoupling Quartz from a web-app

If you’re a Java Developer and you’ve had to deal with scheduling there’s no doubt you have heard of or used Quartz. I’ve used and seen Quartz used for scheduling in many environments. One thing I noticed was that Quartz was usually deployed in a web-app, I’m not a big fan of that approach. One company had these huge long running intensive jobs bogging down the performance of the app affecting end-users. I like being able to update jobs and…

Read More Read More

Vault setup as a system service

Vault setup as a system service

Setup Hashicorp Vault as a system service Vault is one of those tools that can’t be automated easily. By design it really shouldn’t be automated. It’s built for storing secrets like passwords, ssh keys, pki certs, etc. in a secure manner. You should spread out the unseal keys among a few people so that not one malicious actor can get at your passwords. So you always need a couple of people to actually unseal, but you can setup privileges to…

Read More Read More

Constructor injection – Why I no longer use autowired

Constructor injection – Why I no longer use autowired

This post focuses on Java and using something like Spring or CDI for dependency injection. If you aren’t using Java this post can maybe still apply to you, constructor injection can and should be implemented in many languages. If you’re confused about autowiring, check out some details here. Why Autowired I have always used autowired and annotated my fields with autowired only because I had gotten used to it. One of the earlier code bases I worked on in Java…

Read More Read More