The recent changes with CentOS has caused FedRAMP to look a little more closely at CentOS. In particular, anyone leveraging the RHEL FIPS validation with CentOS will be declared invalid. It looks like I’m a bit late on posting this. I was informed by a commenter on another post of mine. If you’re in a really tight bind, maybe you could try to leverage openssl(?). But overall, my thoughts are that the JAB is now strictly following which operating systems…
Hey readers, I notice a lot of traffic going to my post on CentOS FIPS mode and felt like you guys would like to hear about the Terraform AWS FIPS provider. If that sounds up your ally, keep reading, this will be very helpful. Why use Terraform AWS FIPS? If you’re working with the federal government you will need to meet FIPS 140-2 requirements. These are validated encryption modules meeting the FIPS 140-2 standards and tested to meet those standards….
You’ve heard of Infrastructure as Code (IaC) but have you heard of IaC Patterns? A lot of people are jumping on Terraform and Cloudformation to deploy their applications and infrastructure. If you’re reading this than I’m pretty sure you’re one of those people. But, how do you know when you’re doing things right? I’m going to give a brief intro on what I mean by IaC patterns and then give some high level details on patterns that work. Everyone should…
Since you are reading this article I’m going to assume you are going through, or about to go through, a FedRAMP audit. If you’re looking to get a FedRAMP ATO (Authority to Operate) this is the article to start with. If you’re already in-process you can probably skip this, but there may be some reassuring and good information to have, so I’d recommend you still give it a read. I’m going to try to sprinkle in important acronyms related to…
I see a lot of talk online about avoiding cloud vendor lock-in. I used to buy into this axiom as well and for some cases that might be prudent. But, if you’re looking to save money, leverage vendor security controls for compliance, and increase development velocity , vendor lock-in shouldn’t be so worrisome. The big cloud vendors offer value far past simple compute and storage. Most companies rely on AWS or Azure for services that a simple VPS provider could…
I see a lot of confusion online about using terraform. I usually see this confusion when configuration management is brought up as well. There are a lot of “how do I use terraform with ansible/puppet/chef/salt” and other questions surrounding these two tools. I decided to throw together a quick outline on what Terraform is, what configuration management is, and how you can use these two together if you need to. Terraform Terraform is an infrastructure as code (IaC) orchestration tool….
Java Mapping Mapping between objects shouldn’t be anything new to you if you’re on this page. In enterprise development you often will have to map between DTOs, domain models, and data models. For the past 5 years or so I’ve been pretty content with dozer. I inject a DozerBeanMapper instance where I need it and map pretty easily between different objects. I mostly stick to convention over configuration, so I don’t have a bunch of xml or java code specifically…
If you’re a Java Developer and you’ve had to deal with scheduling there’s no doubt you have heard of or used Quartz. I’ve used and seen Quartz used for scheduling in many environments. One thing I noticed was that Quartz was usually deployed in a web-app, I’m not a big fan of that approach. One company had these huge long running intensive jobs bogging down the performance of the app affecting end-users. I like being able to update jobs and…
Setup Hashicorp Vault as a system service Vault is one of those tools that can’t be automated easily. By design it really shouldn’t be automated. It’s built for storing secrets like passwords, ssh keys, pki certs, etc. in a secure manner. You should spread out the unseal keys among a few people so that not one malicious actor can get at your passwords. So you always need a couple of people to actually unseal, but you can setup privileges to…
This post focuses on Java and using something like Spring or CDI for dependency injection. If you aren’t using Java this post can maybe still apply to you, constructor injection can and should be implemented in many languages. If you’re confused about autowiring, check out some details here. Why Autowired I have always used autowired and annotated my fields with autowired only because I had gotten used to it. One of the earlier code bases I worked on in Java…