David Jorm, profile picture
Uploaded byDavid Jorm
ODP, PPTX2,638 views

Tracking vulnerable JARs

The document discusses tracking vulnerable JAR (Java archive) files. It notes that many Java applications rely on large numbers of library dependencies, and over 26% of downloads from a popular repository contain known flaws. The author describes a solution used at Red Hat that involves generating a manifest of all JARs used in products, matching this against a database of known vulnerabilities, and enforcing checks for vulnerable files during the build process. This solution uses three components: a tool to generate JAR manifests, a shared vulnerabilities database, and a plugin to check for vulnerabilities during the maven build process.

Embed presentation

Download as ODP, PPTX
Tracking vulnerable JARs Ruxcon 2012 David Jorm djorm@redhat.com
Contents  JAR (security) hell  Example (CVE-2010-1622)  JBoss products  Solution  jboss-manifest  Victi.ms DB  Enforce-victims-rule maven plugin  Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 2
JAR (security) hell • Java/J2EE apps rely on a large number of libraries • There are several ways of handling this, but all rely on the application bundling its own dependencies. • Similar to every binary on a system being statically compiled, with no dynamically linked libraries • Library JARs are typically included as dependencies using build tools like maven that draw them from public repositories • The maven central repo is the most “canonical” source of compiled JARs SECURITY RESPONSE TEAM | RED HAT INC. 3
JAR (security) hell • Aspect Security performed a study1 in March 2012 that showed 29.8 million (26%) of library downloads from the maven central repository are for versions with known flaws • The study recommends app developers: – Provide tailored security policies that can be leveraged by the Java Security Manager to ensure limited impact of any exposure. – Enforce scans of dependencies against a known vulnerability DB. – Internalize and self manage Maven repositories to ensure absolute control of dependencies. 1 https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf SECURITY RESPONSE TEAM | RED HAT INC. 4
Example: CVE-2010-1622 in Spring (hi Meder) Source: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief SECURITY RESPONSE TEAM | RED HAT INC. 5
Example: CVE-2010-1622 • How do you know your application is vulnerable and needs to be recompiled? How do you know to update your dependencies? SECURITY RESPONSE TEAM | RED HAT INC. 6
Example: CVE-2010-1622 • Track upstream website? Use alert service? Secunia, iSight, etc.? • How to communicate this to developers? How to map dependencies to CVEs? SECURITY RESPONSE TEAM | RED HAT INC. 7
JBoss Products • JBoss products are bundled with all dependent JARs, rather than using a dependency management system • Components within JBoss products bundle their own JARs • We often have multiple copies and/or multiple versions of the same JAR within one product • When a vulnerability is found in a JAR, how do we patch our products comprehensively? SECURITY RESPONSE TEAM | RED HAT INC. 8
Solution • Collate all released/engineering product builds • Recursively unpack them and generate a complete manifest database cataloging the JARs used by each build • Match the manifest database against a database of known vulnerable JARS • Perform a check against the database at build time SECURITY RESPONSE TEAM | RED HAT INC. 9
Solution SECURITY RESPONSE TEAM | RED HAT INC. 10
Solution • Requires three components: • jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs • victims database: a canonical database of known- vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs • enforce-victims-rule: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database SECURITY RESPONSE TEAM | RED HAT INC. 11
jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 12
jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 13
jboss-manifest • 1) Recursively unpack archives – zip, war, ear etc. • 2) Within each archive, find all jar files • 3) For each jar file get information from: – The file itself – The contents of META-INF/MANIFEST.MF – The signer information in META-INF/*.DSA/RSA – Checksum • 4) For each jar file write a record to the manifest DB, matching the record to the product build containing this jar SECURITY RESPONSE TEAM | RED HAT INC. 14
jboss-manifest • Jenkins used to run scheduled job to check for newly released software • New artifacts are automatically run through jboss- manifest • System sends email alerts to SRT • When the victi.ms DB is updated, a jenkins job can be triggered to check for vulnerabilities in released software SECURITY RESPONSE TEAM | RED HAT INC. 15
Victi.ms DB • Open source project by Steve Milner • Maintains a web-based canonical database of vulnerable JARs, open to submissions from the community • By querying across the manifest and victi.ms databases, we get a report on all vulnerable builds • Code available here: https://bitbucket.org/ashcrow/victims/overview • Hosted instance here: http://victi.ms/ SECURITY RESPONSE TEAM | RED HAT INC. 16
Victi.ms DB • Red Hat maintains hashes for all flaws that affect components we ship • More community effort needed to make the database comprehensive • Potential for future automation, linking CVE/CPE (SCAP) mappings to JARs in the central repo SECURITY RESPONSE TEAM | RED HAT INC. 17
Enforce-victims-rule maven plugin • Builds on the maven enforcer plugin to check a maven project's dependencies against the victi.ms database of known vulnerable artifacts. • Checks are based on both metadata (artifact name and version) and JAR file hashes • Checks can be configured to trigger either warnings or fatal errors SECURITY RESPONSE TEAM | RED HAT INC. 18
Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 19
Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 20
Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 21
Commercial tools • Sonatype “Insight App Health Check” – Includes source licensing and security checks – Available as GUI/maven plugin – Operates using remote service – $499 (per app?) • Aspect Security “Contrast” – Identifies flaws in your own code – Maven plugin – Doesn't handle known flaws in dependencies yet – Free version, commercial $199-399/mo SECURITY RESPONSE TEAM | RED HAT INC. 22
Resources • http://victi.ms • https://bitbucket.org/ashcrow/victims/overview • http://search.maven.org/#artifactdetails| com.redhat.victims|enforce-victims-rule|1.0|jar SECURITY RESPONSE TEAM | RED HAT INC. 23
Questions? SECURITY RESPONSE TEAM | RED HAT INC. 24

More Related Content

PDF
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
PDF
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
ODP
Finding and exploiting novel flaws in Java software (SyScan 2015)
byDavid Jorm
 
PPTX
Java Exploit Analysis .
byRahul Sasi
 
PDF
Building world-class security response and secure development processes
byDavid Jorm
 
ODP
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
PDF
44CON & Ruxcon: SDN security
byDavid Jorm
 
PPTX
AusCERT 2016: CVE and alternatives
byDavid Jorm
 
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
byDavid Jorm
 
Java Exploit Analysis .
byRahul Sasi
 
Building world-class security response and secure development processes
byDavid Jorm
 
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
44CON & Ruxcon: SDN security
byDavid Jorm
 
AusCERT 2016: CVE and alternatives
byDavid Jorm
 

What's hot

PDF
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
PDF
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
byChristian Schneider
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PDF
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
PDF
Introduction to iOS Penetration Testing
byOWASP
 
PDF
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
byPriyanka Aash
 
PPTX
Fortify dev ops (002)
byMadhavan Marimuthu
 
PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
PDF
Automatic tool for static analysis
byChong-Kuan Chen
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PPTX
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
PDF
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
PDF
Csw2016 freingruber bypassing_application_whitelisting
byCanSecWest
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
PDF
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
PDF
Android Application Security
byChong-Kuan Chen
 
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
byChristian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
Introduction to iOS Penetration Testing
byOWASP
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
byPriyanka Aash
 
Fortify dev ops (002)
byMadhavan Marimuthu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
Automatic tool for static analysis
byChong-Kuan Chen
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
Csw2016 freingruber bypassing_application_whitelisting
byCanSecWest
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
Android Application Security
byChong-Kuan Chen
 

Similar to Tracking vulnerable JARs

PDF
Open-Source Security Management and Vulnerability Impact Assessment
byPriyanka Aash
 
PPTX
dependency-check is ppt from owasp to test dependecies
byAshishKandari9
 
PPTX
Dependency check
byDavid Karlsen
 
PDF
Protecting your organization against attacks via the build system
byLouis Jacomet
 
PPTX
Managing Security in External Software Dependencies
byTharindu Edirisinghe
 
PPTX
Aleksei Dremin - Application Security Pipeline - phdays9
byAlexey Dremin
 
PPTX
Auscert 2022 - log4shell and history of Java deserialisation RCE
byDavid Jorm
 
PPTX
2013 Security Threat Report Presentation
bySophos
 
PDF
From Vulnerability to Victory: Mastering the CVE Lifecycle for Java Developers
byAnthony Dahanne
 
PDF
OWASP - Dependency Check
byVandana Verma
 
PPTX
Managing Security in External Software Dependencies
bythariyarox
 
PDF
Securing Java in the Server Room
byTim Ellison
 
PDF
Aliens in Your Apps!
byAll Things Open
 
PDF
Open Source and Security: Engineering Security by Design - Prague, December 2011
byJeremy Brown
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PDF
Cross-Build Injection attacks: how safe is your Java build?
bySander Mak (@Sander_Mak)
 
PDF
Say No To Dependency Hell
byNicola Pedot
 
PDF
Enterprise Maven Repository BOF
byMax Andersen
 
PDF
JBoss Enterprise Maven Repository
byMax Andersen
 
PPTX
Continuous Security - TCCC
byWendy Istvanick
 
Open-Source Security Management and Vulnerability Impact Assessment
byPriyanka Aash
 
dependency-check is ppt from owasp to test dependecies
byAshishKandari9
 
Dependency check
byDavid Karlsen
 
Protecting your organization against attacks via the build system
byLouis Jacomet
 
Managing Security in External Software Dependencies
byTharindu Edirisinghe
 
Aleksei Dremin - Application Security Pipeline - phdays9
byAlexey Dremin
 
Auscert 2022 - log4shell and history of Java deserialisation RCE
byDavid Jorm
 
2013 Security Threat Report Presentation
bySophos
 
From Vulnerability to Victory: Mastering the CVE Lifecycle for Java Developers
byAnthony Dahanne
 
OWASP - Dependency Check
byVandana Verma
 
Managing Security in External Software Dependencies
bythariyarox
 
Securing Java in the Server Room
byTim Ellison
 
Aliens in Your Apps!
byAll Things Open
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
byJeremy Brown
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
Cross-Build Injection attacks: how safe is your Java build?
bySander Mak (@Sander_Mak)
 
Say No To Dependency Hell
byNicola Pedot
 
Enterprise Maven Repository BOF
byMax Andersen
 
JBoss Enterprise Maven Repository
byMax Andersen
 
Continuous Security - TCCC
byWendy Istvanick
 

Recently uploaded

PDF
Essential Software Testing Skills to Learn.pdf
byrajeshpps10
 
PDF
Get Your Love Back – A Complete Guide to Rebuilding Lost Connections
bysainiroshan7845
 
DOCX
8. QuickBooks Customer Service San Jose – +1-804-985-1002 – Call for Fixes
bysobade4208
 
PPTX
Training_and__Placement_Report_Plan.pptx
byMalkeetSingh85
 
PPTX
Review and Research Article_Ankit .pptx
byAnkitKinge
 
PPTX
Childhood and adolescent TB management.pptx LOCARDY CO HND.pptx
bychaolockie
 
PPTX
PPT ILP BELTIM prov kep bangka belitung (beltim)
bynurkumala13
 
PPT
340488369-Reflected-13_1_Paula_Carvalho.ppt
byPaulaCarvalho143640
 
PDF
Project Management and Entrepreneurship notes
byANIRUDDHA ADAK
 
PDF
Professional-Research-Proposal-Help-UK-for-Academic-Excellence
byResearch Proposal Help
 
PDF
Listening Skills Information Technology, 5th ed..pdf
bymohammedbm106
 
PDF
tanyeongchye-digitalmarketing-resume-2026
byTim Tan
 
PPTX
Key themes in current market trends presentations.pptx
byKathirSundaram
 
PPTX
Renewable_Energy_Research_Presentation.pptx
bynagavijayababu108
 
PPTX
week 1 UCSP.pptxHQAJASJASJ;SJASLJBDBDBDBDBD
byEugeneSaldivar
 
PPTX
Biotechnology, GMO, Fortification.pptx3.pptx
byRSLCelea
 
PPTX
Fibroids_mku4thyear_31102025.pptxs Happy
byColloKaris
 
PPTX
Why Humans Are Losing to AI (And How to Get Your Edge Back)
byDevin Bisanz
 
PPTX
Future challenges of Physical Therapy - Professional Practice.pptx
byshahidiqbalssg3
 
PDF
How AI Glasses Are Changing the Future of Human Interactions
bypkhandelwal31117
 
Essential Software Testing Skills to Learn.pdf
byrajeshpps10
 
Get Your Love Back – A Complete Guide to Rebuilding Lost Connections
bysainiroshan7845
 
8. QuickBooks Customer Service San Jose – +1-804-985-1002 – Call for Fixes
bysobade4208
 
Training_and__Placement_Report_Plan.pptx
byMalkeetSingh85
 
Review and Research Article_Ankit .pptx
byAnkitKinge
 
Childhood and adolescent TB management.pptx LOCARDY CO HND.pptx
bychaolockie
 
PPT ILP BELTIM prov kep bangka belitung (beltim)
bynurkumala13
 
340488369-Reflected-13_1_Paula_Carvalho.ppt
byPaulaCarvalho143640
 
Project Management and Entrepreneurship notes
byANIRUDDHA ADAK
 
Professional-Research-Proposal-Help-UK-for-Academic-Excellence
byResearch Proposal Help
 
Listening Skills Information Technology, 5th ed..pdf
bymohammedbm106
 
tanyeongchye-digitalmarketing-resume-2026
byTim Tan
 
Key themes in current market trends presentations.pptx
byKathirSundaram
 
Renewable_Energy_Research_Presentation.pptx
bynagavijayababu108
 
week 1 UCSP.pptxHQAJASJASJ;SJASLJBDBDBDBDBD
byEugeneSaldivar
 
Biotechnology, GMO, Fortification.pptx3.pptx
byRSLCelea
 
Fibroids_mku4thyear_31102025.pptxs Happy
byColloKaris
 
Why Humans Are Losing to AI (And How to Get Your Edge Back)
byDevin Bisanz
 
Future challenges of Physical Therapy - Professional Practice.pptx
byshahidiqbalssg3
 
How AI Glasses Are Changing the Future of Human Interactions
bypkhandelwal31117
 

Tracking vulnerable JARs

  • 1.
    Tracking vulnerable JARs Ruxcon2012 David Jorm djorm@redhat.com
  • 2.
    Contents  JAR (security) hell  Example (CVE-2010-1622)  JBoss products  Solution  jboss-manifest  Victi.ms DB  Enforce-victims-rule maven plugin  Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 2
  • 3.
    JAR (security) hell • Java/J2EE apps rely on a large number of libraries • There are several ways of handling this, but all rely on the application bundling its own dependencies. • Similar to every binary on a system being statically compiled, with no dynamically linked libraries • Library JARs are typically included as dependencies using build tools like maven that draw them from public repositories • The maven central repo is the most “canonical” source of compiled JARs SECURITY RESPONSE TEAM | RED HAT INC. 3
  • 4.
    JAR (security) hell • Aspect Security performed a study1 in March 2012 that showed 29.8 million (26%) of library downloads from the maven central repository are for versions with known flaws • The study recommends app developers: – Provide tailored security policies that can be leveraged by the Java Security Manager to ensure limited impact of any exposure. – Enforce scans of dependencies against a known vulnerability DB. – Internalize and self manage Maven repositories to ensure absolute control of dependencies. 1 https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf SECURITY RESPONSE TEAM | RED HAT INC. 4
  • 5.
    Example: CVE-2010-1622 inSpring (hi Meder) Source: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief SECURITY RESPONSE TEAM | RED HAT INC. 5
  • 6.
    Example: CVE-2010-1622 •How do you know your application is vulnerable and needs to be recompiled? How do you know to update your dependencies? SECURITY RESPONSE TEAM | RED HAT INC. 6
  • 7.
    Example: CVE-2010-1622 •Track upstream website? Use alert service? Secunia, iSight, etc.? • How to communicate this to developers? How to map dependencies to CVEs? SECURITY RESPONSE TEAM | RED HAT INC. 7
  • 8.
    JBoss Products •JBoss products are bundled with all dependent JARs, rather than using a dependency management system • Components within JBoss products bundle their own JARs • We often have multiple copies and/or multiple versions of the same JAR within one product • When a vulnerability is found in a JAR, how do we patch our products comprehensively? SECURITY RESPONSE TEAM | RED HAT INC. 8
  • 9.
    Solution • Collateall released/engineering product builds • Recursively unpack them and generate a complete manifest database cataloging the JARs used by each build • Match the manifest database against a database of known vulnerable JARS • Perform a check against the database at build time SECURITY RESPONSE TEAM | RED HAT INC. 9
  • 10.
    Solution SECURITY RESPONSE TEAM | RED HAT INC. 10
  • 11.
    Solution • Requiresthree components: • jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs • victims database: a canonical database of known- vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs • enforce-victims-rule: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database SECURITY RESPONSE TEAM | RED HAT INC. 11
  • 12.
    jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 12
  • 13.
    jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 13
  • 14.
    jboss-manifest • 1)Recursively unpack archives – zip, war, ear etc. • 2) Within each archive, find all jar files • 3) For each jar file get information from: – The file itself – The contents of META-INF/MANIFEST.MF – The signer information in META-INF/*.DSA/RSA – Checksum • 4) For each jar file write a record to the manifest DB, matching the record to the product build containing this jar SECURITY RESPONSE TEAM | RED HAT INC. 14
  • 15.
    jboss-manifest • Jenkinsused to run scheduled job to check for newly released software • New artifacts are automatically run through jboss- manifest • System sends email alerts to SRT • When the victi.ms DB is updated, a jenkins job can be triggered to check for vulnerabilities in released software SECURITY RESPONSE TEAM | RED HAT INC. 15
  • 16.
    Victi.ms DB •Open source project by Steve Milner • Maintains a web-based canonical database of vulnerable JARs, open to submissions from the community • By querying across the manifest and victi.ms databases, we get a report on all vulnerable builds • Code available here: https://bitbucket.org/ashcrow/victims/overview • Hosted instance here: http://victi.ms/ SECURITY RESPONSE TEAM | RED HAT INC. 16
  • 17.
    Victi.ms DB •Red Hat maintains hashes for all flaws that affect components we ship • More community effort needed to make the database comprehensive • Potential for future automation, linking CVE/CPE (SCAP) mappings to JARs in the central repo SECURITY RESPONSE TEAM | RED HAT INC. 17
  • 18.
    Enforce-victims-rule maven plugin • Builds on the maven enforcer plugin to check a maven project's dependencies against the victi.ms database of known vulnerable artifacts. • Checks are based on both metadata (artifact name and version) and JAR file hashes • Checks can be configured to trigger either warnings or fatal errors SECURITY RESPONSE TEAM | RED HAT INC. 18
  • 19.
    Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 19
  • 20.
    Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 20
  • 21.
    Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 21
  • 22.
    Commercial tools •Sonatype “Insight App Health Check” – Includes source licensing and security checks – Available as GUI/maven plugin – Operates using remote service – $499 (per app?) • Aspect Security “Contrast” – Identifies flaws in your own code – Maven plugin – Doesn't handle known flaws in dependencies yet – Free version, commercial $199-399/mo SECURITY RESPONSE TEAM | RED HAT INC. 22
  • 23.
    Resources • http://victi.ms • https://bitbucket.org/ashcrow/victims/overview • http://search.maven.org/#artifactdetails| com.redhat.victims|enforce-victims-rule|1.0|jar SECURITY RESPONSE TEAM | RED HAT INC. 23
  • 24.
    Questions? SECURITYRESPONSE TEAM | RED HAT INC. 24

Editor's Notes

  • #3 I'll begin with an overview of some of the challenges our customer see with virtualization solutions today. I'll then cover an overview of RHEV, and walk you through some of its key features and functionality. After that, I will cover our pricing and packaging model - And I will also contrast it with some of the other products in the market. Finally, I'll discuss our vision for RHEV and the virtualization market in general with a brief overview of our virtualization infrastructure roadmap - and then we will open the line up for questions. So, lets begin ...
  • #25 With RHEV for Servers, Red Hat provides a robust virtualization platform optimized to give you the performance, scalability, security and ecosystem you need with a price structure that truly enables pervasive datacenter virtualization. For more information, visit our web page which includes a library of datasheets, feature demos, and a link to a TCO calculator where you can calculate how much RHEV can save you in your datacenter. The address is www.redhat.com/rhev Thank you for your time today, and now I will take any questions.