Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This presentation introduces the new Java EE 8 Security API JSR 375. Originally presented at Devoxx France 2015, the slides present the motivation behind the new JSR, some history, the expert group, and a summary of ideas.
The slides were created after the expert group had been meeting for about a month, so the ideas are raw and undeveloped. However, the ideas in the slides do indicate the general direction the JSR is headed, with respect to modernizing, simplifying, and standardizing the Java EE Security API.
Reactive Java EE - Let Me Count the Ways!Reza Rahman
As our industry matures there are pockets of increased demand for high-throughput, low-latency systems heavily utilizing event-driven programming and asynchronous processing. This trend is gradually converging on the somewhat well established but so-far not well understood term "Reactive".
This session explores how vanilla Java SE and Java EE aligns with this movement via features and APIs like JMS, MDB, EJB @Asynchronous, JAX-RS/Servlet/WebSocket async, CDI events, Java EE concurrency utilities and so on. We will also see how these robust facilities can be made digestible even in the most complex cases for mere mortal developers through Java SE 8 Lambdas and Completable Futures.
Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas.
- Servlet 4 will embrace the new HTTP/2 protocol.
- JSON-B will bring the same high level features of JAXB to the JSON data format.
- Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client.
- MVC will be the Action based MVC complement of the Component based MVC of JSF.
- Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing.
The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.
Down-to-Earth Microservices with Java EEReza Rahman
Microservices have become the new kid of the buzzword block in our ever colorful industry. In this session we will explore what microservices really mean within the relatively well established context of distributed computing/SOA, when they make sense and how to develop them using the lightweight, simple, productive Java EE programming model.
We'll explore microservices using a simple but representative example using Java EE. You'll see how the Java EE programming model and APIs like JAX-RS, WebSocket, JSON-P, JSON-B, Bean Validation, CDI, JPA, EJB 3, JMS 2 and JTA aligns with the concept of microservices.
It may or may not surprise you to learn in the end that you already know more about microservices than you realize and that it is an architectural style that does not really require you to learn an entirely new tool set beyond the ones you already have. You might even see that Java EE is a particularly powerful and elegant tool set for developing microservices.
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This presentation introduces the new Java EE 8 Security API JSR 375. Originally presented at Devoxx France 2015, the slides present the motivation behind the new JSR, some history, the expert group, and a summary of ideas.
The slides were created after the expert group had been meeting for about a month, so the ideas are raw and undeveloped. However, the ideas in the slides do indicate the general direction the JSR is headed, with respect to modernizing, simplifying, and standardizing the Java EE Security API.
Reactive Java EE - Let Me Count the Ways!Reza Rahman
As our industry matures there are pockets of increased demand for high-throughput, low-latency systems heavily utilizing event-driven programming and asynchronous processing. This trend is gradually converging on the somewhat well established but so-far not well understood term "Reactive".
This session explores how vanilla Java SE and Java EE aligns with this movement via features and APIs like JMS, MDB, EJB @Asynchronous, JAX-RS/Servlet/WebSocket async, CDI events, Java EE concurrency utilities and so on. We will also see how these robust facilities can be made digestible even in the most complex cases for mere mortal developers through Java SE 8 Lambdas and Completable Futures.
Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas.
- Servlet 4 will embrace the new HTTP/2 protocol.
- JSON-B will bring the same high level features of JAXB to the JSON data format.
- Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client.
- MVC will be the Action based MVC complement of the Component based MVC of JSF.
- Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing.
The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.
Down-to-Earth Microservices with Java EEReza Rahman
Microservices have become the new kid of the buzzword block in our ever colorful industry. In this session we will explore what microservices really mean within the relatively well established context of distributed computing/SOA, when they make sense and how to develop them using the lightweight, simple, productive Java EE programming model.
We'll explore microservices using a simple but representative example using Java EE. You'll see how the Java EE programming model and APIs like JAX-RS, WebSocket, JSON-P, JSON-B, Bean Validation, CDI, JPA, EJB 3, JMS 2 and JTA aligns with the concept of microservices.
It may or may not surprise you to learn in the end that you already know more about microservices than you realize and that it is an architectural style that does not really require you to learn an entirely new tool set beyond the ones you already have. You might even see that Java EE is a particularly powerful and elegant tool set for developing microservices.
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.
Testing Java EE Applications Using ArquillianReza Rahman
This session outlines how to effectively test Java EE APIs like JSF, Servlet, CDI, EJB 3, JPA, WebSocket and JAX-RS. Java EE includes a number of new features that enhance testability like generic dependency injection, CDI @Alternative, portable extensions, embedded containers and JSF project stages.
Using these features and best of breed tools like JUnit and Arquillian it is possible to perform unit, integration, system and functional testing for Java EE APIs at all layers of the application. In addition to discussing tools and features, the session will also demonstrate testing techniques like designing for testability, mock objects, isolation and test configuration.
The days of EJB’s being the center of the Java EE universe are coming to an end. CDI is increasingly becoming the de facto component framework, due to its flexibility and lack of legacy. Starting in Java EE 7 and continuing in 8, the Java EE platform is migrating to enable all of EJB’s best features to be usable in the CDI world. In this session, you’ll learn implementation-level details on how they relate to each other, where we are in the EJB/CDI alignment story, what trade-offs you might need to make, and what you have to gain from making the transition. You will walk out with runnable examples and vendor-level insights. This is the perfect session for heavy EJB users looking to keep up with Java EE’s transition to CDI.
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
It’s hard to overstate how much has changed in the world since HTTP 1.1 went final in June of 1999. There were no smartphones, Google had not yet IPO’d, Java Swing was less than a year old… you get the idea. Yet for all that change, HTTP remains at version 1.1.
Change is finally coming. HTTP 2.0 should be complete by 2015, and with that comes the need for a new version of Servlet. It will embrace HTTP 2.0 and expose its key features to Java EE 8 applications. This session gives a peek into the progress of the Servlet spec and shares some ideas about how developers can take advantage of this exciting
update to the world’s most successful application protocol on the world’s most popular programming language.
[Note that this talk is not available outside some very specific settings but this deck is here for you as a basic resource to form a basis for your own analysis based on my reasonably objective extensive professional experience using both technology sets in the real world]
Java EE 7 has been one of the most significant overhauls of the platform. Just some of the changes include retiring EJB 2 entity beans and JAX-RPC, greater alignment with CDI, WebSocket/HTML 5 support, a standard API for JSON processing, the next version of JAX-RS, an overhaul of JMS, long-awaited concurrency utilities, batch processing in Java EE and much, much more. In order to make educated choices for adoption, one should understand how the widely-used Spring Framework aligns with Java EE.
This session will compare and contrast the Spring Framework with Java EE 7. We will focus on key areas that include the component development model, dependency injection, persistence, UI, REST, messaging, security and testing. Beyond API/features, the analysis will take a holistic view in covering concerns such as ease-of-use, manageability, ecosystem and vendor-neutrality.
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsArshal Ameen
Financial companies need Java EE to power their business today. Rakuten Card, one of the largest credit card companies in Japan, adopted Java EE 6 for its online systems rearchitecture. Learn why it chose Java EE, and hear about its experiences and lessons learned. This is the first time a large credit card company in Japan is sharing its story. How do you start such a big project? Why did it choose Java EE? How did it select the in-house development policies, educate itself, and develop the additional libraries? How did it launch within only six months? What is the key factor driving 24/7 critical financial systems successfully? How do you migrate to Java EE 7 in the future? This presentation answers these questions and any others you may have.
With a strong focus on annotations, minimalist configuration, simple deployment, intelligent defaults and Java centric type-safety, Java EE is one of the most productive full-stack development platforms around today. This very code centric workshop is a quick tour of the Java EE platform as it stands today. If you haven't seen Java EE for a while and want to catch up, this session is definitely for you.
We will start with the basic principals of what Java EE is and what it is not, overview the platform at a high level and then dive into each key API like JSF, CDI, EJB 3, JPA, JAX-RS, WebSocket and JMS using examples and demos. This is your chance to look at Java EE 7 in the context of a realistic application named Cargo Tracker, available with an MIT license at http://cargotracker.java.net.
We will also briefly take a look at the emerging horizons of Java EE 8.
Many enterprise systems build at 2000 - 2010 uses J2EE old specifications with Struts web framework. But nowadays J2EE improved as Java EE, with standard web framework JSF 2. With this slides you can learn how to migrate old-styled J2EE + Struts systems to sophisticated Java EE with JSF 2 specification. This slides was used in Java Day Tokyo 2014 C4 window, presented by the author. And some slides is specialized for Japanese enterprise systems, but the theme is very standard and for almost all J2EE users in the world.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.
Testing Java EE Applications Using ArquillianReza Rahman
This session outlines how to effectively test Java EE APIs like JSF, Servlet, CDI, EJB 3, JPA, WebSocket and JAX-RS. Java EE includes a number of new features that enhance testability like generic dependency injection, CDI @Alternative, portable extensions, embedded containers and JSF project stages.
Using these features and best of breed tools like JUnit and Arquillian it is possible to perform unit, integration, system and functional testing for Java EE APIs at all layers of the application. In addition to discussing tools and features, the session will also demonstrate testing techniques like designing for testability, mock objects, isolation and test configuration.
The days of EJB’s being the center of the Java EE universe are coming to an end. CDI is increasingly becoming the de facto component framework, due to its flexibility and lack of legacy. Starting in Java EE 7 and continuing in 8, the Java EE platform is migrating to enable all of EJB’s best features to be usable in the CDI world. In this session, you’ll learn implementation-level details on how they relate to each other, where we are in the EJB/CDI alignment story, what trade-offs you might need to make, and what you have to gain from making the transition. You will walk out with runnable examples and vendor-level insights. This is the perfect session for heavy EJB users looking to keep up with Java EE’s transition to CDI.
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
It’s hard to overstate how much has changed in the world since HTTP 1.1 went final in June of 1999. There were no smartphones, Google had not yet IPO’d, Java Swing was less than a year old… you get the idea. Yet for all that change, HTTP remains at version 1.1.
Change is finally coming. HTTP 2.0 should be complete by 2015, and with that comes the need for a new version of Servlet. It will embrace HTTP 2.0 and expose its key features to Java EE 8 applications. This session gives a peek into the progress of the Servlet spec and shares some ideas about how developers can take advantage of this exciting
update to the world’s most successful application protocol on the world’s most popular programming language.
[Note that this talk is not available outside some very specific settings but this deck is here for you as a basic resource to form a basis for your own analysis based on my reasonably objective extensive professional experience using both technology sets in the real world]
Java EE 7 has been one of the most significant overhauls of the platform. Just some of the changes include retiring EJB 2 entity beans and JAX-RPC, greater alignment with CDI, WebSocket/HTML 5 support, a standard API for JSON processing, the next version of JAX-RS, an overhaul of JMS, long-awaited concurrency utilities, batch processing in Java EE and much, much more. In order to make educated choices for adoption, one should understand how the widely-used Spring Framework aligns with Java EE.
This session will compare and contrast the Spring Framework with Java EE 7. We will focus on key areas that include the component development model, dependency injection, persistence, UI, REST, messaging, security and testing. Beyond API/features, the analysis will take a holistic view in covering concerns such as ease-of-use, manageability, ecosystem and vendor-neutrality.
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsArshal Ameen
Financial companies need Java EE to power their business today. Rakuten Card, one of the largest credit card companies in Japan, adopted Java EE 6 for its online systems rearchitecture. Learn why it chose Java EE, and hear about its experiences and lessons learned. This is the first time a large credit card company in Japan is sharing its story. How do you start such a big project? Why did it choose Java EE? How did it select the in-house development policies, educate itself, and develop the additional libraries? How did it launch within only six months? What is the key factor driving 24/7 critical financial systems successfully? How do you migrate to Java EE 7 in the future? This presentation answers these questions and any others you may have.
With a strong focus on annotations, minimalist configuration, simple deployment, intelligent defaults and Java centric type-safety, Java EE is one of the most productive full-stack development platforms around today. This very code centric workshop is a quick tour of the Java EE platform as it stands today. If you haven't seen Java EE for a while and want to catch up, this session is definitely for you.
We will start with the basic principals of what Java EE is and what it is not, overview the platform at a high level and then dive into each key API like JSF, CDI, EJB 3, JPA, JAX-RS, WebSocket and JMS using examples and demos. This is your chance to look at Java EE 7 in the context of a realistic application named Cargo Tracker, available with an MIT license at http://cargotracker.java.net.
We will also briefly take a look at the emerging horizons of Java EE 8.
Many enterprise systems build at 2000 - 2010 uses J2EE old specifications with Struts web framework. But nowadays J2EE improved as Java EE, with standard web framework JSF 2. With this slides you can learn how to migrate old-styled J2EE + Struts systems to sophisticated Java EE with JSF 2 specification. This slides was used in Java Day Tokyo 2014 C4 window, presented by the author. And some slides is specialized for Japanese enterprise systems, but the theme is very standard and for almost all J2EE users in the world.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
The Dev, Sec and Ops of API Security - API World42Crunch
The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.
Downside: The more APIs, the higher the security risk!
API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs.
Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language.
In this presentation you will learn:
Security risks at each stage of the API lifecycle, and how to mitigate them.
How to implement an end-to-end automated API security model that development, security and operations teams will love.
How to think positive! Why a positive security model works.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
Last year we talked about DevOps, what it was, why it was important and how to get started. Boy, was it scary. Now we’re wiser. More battle-scarred. The scale of the challenge for application writers exploiting cloud and DevOps is clearer, but so is the path forward. Understanding the DevOps approach is important but equally you must understand specific deployment technologies. How to exploit them and how they effect the design of applications. Whether creating simple applications or sophisticated microservice architectures many of the challenges are the same.
Presented at JAXLondon 2015 with Steve Poole
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
This talk was presented at BSides Delaware 2021. This talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why still we continue to two decades old bugs and recommendations to consider going ahead.
Note: I gave this talk earlier in the year at the OWASP Global 21st event, but this presentation is a slightly extended version of the OWASP talk. Therefore, treat this slide as the most up to date version.
The video recording of this talk is available via the BSides DE youtube channel.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
In the Java world Maven Central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Times are changing and so is Maven Central.
As cyberattacks grow the defences at Maven Central have grown too and now we're on the offence. Learn how Maven Central is working with the Linux Foundation and others to add features and services that will keep the Java community safer, more informed and better prepared.
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
Over the last ten years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session we’ll brief you on the state of the situation and what you can do to be more prepared. We’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
A new hope for 2023? What developers must learn nextSteve Poole
Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
Three-card Monte, Find the Lady - the game goes by many names but at its core is a simple scam. You think you're in control but you're not: it's a game you can't win, and if you do it's only temporary to give you false confidence.
Software delivery is rapidly becoming a shell game: bad actors trying to force you to use compromised components, bad actors trying to take over your build processes and insert malware. Bad actors subverting your processes while give you false confidence that everything is ok.
This session introduces you to an active defence you can start to use now.
In this talk we’ll explain how the SBOM or Software Bill of Materials is emerging as the base for new tools and new thinking about producing software.
We’ll explain what an SBOM is , how it provides significant protection against software delivery attacks and what tools exist today for you to use.
We’ll walk through from source code to deployment and examine where the bad guys can get in and what SBOM related defences exist.
Learning how the shell game is played reduces the risk. Avoiding the game altogether is the wiser choice. SBOMs may just be the way to do that.
Superman or Ironman - can everyone be a 10x developer?Steve Poole
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central, explain why Sonatype,( who are the stewards of Maven Central), provide such a critical service and what our philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by?
Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly.
In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk.
It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available.
Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.
Want to make some money? A little bitcoin on the side? In this session we’ll take you through a few of the ways that Ransomware works. Probably one of the fastest growing forms of cybercrime - we’ll explore the motivations (it’s not all about money) how a typical attack occurs , how your actions and inactions help make the problem worse and generally educate you on the ransomware-as-a-service business that could easily be coming to a server near you. Take the time to see how your CI/CD pipelines can be vulnerable and what you can do to make your application safer and your data more secure.
Some say ransomware is simply a cost of doing business - whether thats true or not ransomware is not going away any time soon This talk will help you get up to speed and started on your journey of improving your defences.
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
A small but vital step on a long road was made this year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Agile Islands 2020 - Dashboards and CultureSteve Poole
This talk examines how what you share will define you. The act of monitoring and dashboarding can have a profound effect, good or bad - on the attitudes and culture of the teams involved. With supporting case studies this session will show how you to help make any team more effective
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
Much of the adoption of Agile and DevOps tools and processes focus on the benefits to delivering high quality code on an industrial scale. Although we all recognise that good visual representations of progress and status are critical, it may not be obvious that the act of visualisation can have a profound effect on the attitudes and culture of the teams involved. The right sort of data and appropriate dash-boarding can improve the morale and effectiveness of all the teams involved. The wrong sort of can have the opposite effect.
This talk examines how what you share will define you. Through real examples and a live demo, the speaker will show you how to design status and trend displays that will make your teams more effective without overloading them. The talk will also include case studies with various types of teams to highlight how you can apply this thinking to help make any group more effective.
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
Being a geek can be a tough life. Once you’ve got those LEDs blinking or that robot car moving around, the fun can be over. So what else is there to play with? What other exciting ideas are out there? For the geek at heart, this session showcases some of the new and newish tech that’s available for you to play with.
From AR to VR, from mind control to autonomous drones, we have a lot of everything, and some of it will even be on display. Whether it’s tech you can wear or tech that swims, we’ve got the insight. Bring your mind, and let us refuel your imagination.
Drooling optional.
A Modern Fairy Tale: Java Serialization Steve Poole
Once, long ago, we we looked at serialization as an important addition to Java. As the years passed, we began to recognize the flaws in its design and sighed. Today we realize that the story of serialization has become a dark and twisted tale. In this session, see why we still need serialization, how the built-in design is fatally flawed, and how it is being exploited and used against us. Learn how to work against the dark arts rallied against us, and understand how even the alternative forms of Java serialization can still be open to attack.
Does this tale have a happy ending? Can goodness prevail and can you make your application safe from Java serialisation weaknesses?
Only your can decide.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
2. @spoole167
About me
Steve Poole
IBM Lead Engineer / Developer advocate
@spoole167
Making Java Real Since Version 0.9
Open Source Advocate
DevOps Practitioner (whatever that means!)
Driving Change
3. @spoole167
The scary
Stuff looks like this
The scary
Stuff looks like this
This talk is a technical horror story
The Technical
Stuff looks like this
The scary
Stuff looks like this
https://www.flickr.com/photos/koolmann/
5. @spoole167
What is a vulnerability?
“A vulnerability is a bug which can be exploited by an attacker”
Exploits can attack your availability
Bringing your system down by making it crash
Making your system unresponsive though excessive memory / CPU / network
usage
Exploits can reduce Integrity
Modification of application data
Arbitrary code execution
Exploits can breech confidentiality
Privilege elevation
Exposure of sensitive information
9. Organized Cybercrime is the most profitable type of crime
• In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC)
estimated globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
11. @spoole167
Java Vulnerability example
In a version of a java communications library a long time ago.
A Properties object which mapped labels to classnames
“decode” = “org.foo.decoder.Decoder”
When the class couldn’t be instantiated an exception was returned
“Cannot instantiate ‘decoder’ class ‘org.foo.decoder.Decoder’”
12. @spoole167
Unfortunately
When retrieving the label if it wasn’t found in the Properties object then the
library looked in the System Properties object.
The result?
A remote attacker could systematically retrieve the value of every System
Property.
“Cannot instantiate ’user.home’ class ‘/Users/joe’”
13. So who are the
bad guys?
https://www.flickr.com/photos/monsieurlui/
14. A mirror of you?
• Organized and methodical
• organized like startup companies.
• “employ” highly experienced developers with deep knowledge
• Constantly innovating malware, seeking out vulnerabilities
• Sharing what they find with each other (for $ of course)
• Goal focused
• the average age of a cybercriminal is 35 years old.
15. Who’s being targeted?
• Middle level executives – afraid of their bosses?
• New joiners – easy to make a mistake?
• Busy and harassed key individuals – too busy to take time to consider?
• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
The bad guys prey on the weak, vulnerable and ignorant
16. Developers
• Why ?
• We know the inside story
• We write the code
• We have elevated privileges
• We are over trusting
• We use other peoples code and tools without inspection
• we are ignorant of security matters
The bad guys prey on the weak, vulnerable and ignorant
18. Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
19. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}
};
Ever written something
like this?
20. We’ve all done something like that
“A vulnerability is a bug which can be exploited by an
attacker”
21. We’ve all done something like that
“A vulnerability is a bug which can be exploited by an
attacker”
“A vulnerability is also a feature which can be exploited
by an attacker”
22. Vulnerabilities
• Bugs and design flaws in your software and
the software you use.
• Everyone has them.
• Researchers are looking for them all the
time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/
24. @spoole167
“Common Vulnerabilities & Exposures”
https://cve.mitre.org
The Standard place find details about ‘CVEs’
International cyber security community effort
Common naming convention and unique references.
Allows you to know when a problem is resolved in something your using
26. @spoole167
CVE-2016-
2510
BeanShell (bsh) before 2.0b6, when included on the
classpath by an application that uses Java
serialization or XStream, allows remote attackers to
execute arbitrary code via crafted serialized data,
related to XThis.Handler.
CVE-2016-
0686
Unspecified vulnerability in Oracle Java SE 6u113,
7u99, and 8u77 and Java SE Embedded 8u77
allows remote attackers to affect confidentiality,
integrity, and availability via vectors related to
Serialization.
CVE-2015-
4805
Unspecified vulnerability in Oracle Java SE 6u101,
7u85, and 8u60, and Java SE Embedded 8u51,
allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors
related to Serialization.
keywords=java serialization (first three as of May 11th
)
27. @spoole167
CVE-2016-0686
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java
SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity,
and availability via vectors related to Serialization.
That’s all you will find about this fix
28. @spoole167
Common Vulnerability Scoring System
Base CVSS combines several aspects into a single score
Attack vector and complexity – local, remote etc.
Impact – integrity, confidentiality etc.
Privileges required?
Represented as a base score and a CVSS vector
CVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Additional temporal CVSS considers aspects that may change over time
Availability of an exploit
Availability of a fix
IBM X-Force
IBM’s security research organization
Provides base and temporal CVSS scores for all published CVEs
Database can be accessed via a REST API
29. @spoole167
Example CVSS vector
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector: N (network)
Attack Complexity: L (low)
Privileges Required: N (none)
User Interaction: R (required)
Scope: C (changed)
Confidentiality impact: H (high)
Integrity impact: H (high)
Availability impact: H (high)
Using the CVSS v3.0 calculator
Low = 0.0-3.9. Medium= 4.0-6.9 High= 7.0-8.9 Critical = 9.0-10.0
Note – assessments are based on
the assumption that everyone behaves
“sensibly”
If you give everyone root access to a
machine your mileage will differ
30. @spoole167
How are vulnerabilities communicated?
Oracle
CPU Advisory
Risk Matrix
IBM
Java and Product Security Bulletins
All IBM Security Bulletins are communicated on the PSIRT blog
Can subscribe to Bulletins for specific products using My Notifications
Java SDK Developer Centre
31. Talking about the details of a fix or flaw in public is just like
tweeting your credit card # and pin
So we dont
32. @spoole167
Oracle Critical Patch Updates
Released quarterly on set dates
Third Tuesday in January, April, July, and October
Security releases are always odd-numbered
Version numbers have gaps to allow for out-of-cycle releases
E.g. 8u121, 8u131, 8u141
JDK 9 will use semantic versioning
Each release contains CVE and security-in-depth fixes
Security-in-depth issues are not described publicly
Patches merged into OpenJDK several weeks later
All Oracle software updated on the same date – not just Java
33. @spoole167
IBM PSIRT Process
Product Security Incident Response Team
Java and every other IBM products follow IBM’s PSIRT process
Process and vulnerability tracking owned by a central team
Each product has a PSIRT representative
Each product communicates vulnerabilities to their consumers
Process details are IBM Confidential
Vulnerabilities must be fixed within timeframes depending on CVSS
Extremely urgent issues must be fixed more quickly
Out-of-cycle release if necessary
34. @spoole167
IBM PSIRT Process
Regular quarterly security releases to ship Oracle fixes
IBM-specific issues may also be fixed in these releases
Version numbers have gaps to allow for out-of-cycle releases
E.g. 8.0.3.0, 8.0.3.10
Aim to release as close to Oracle’s CPUs as possible
Java SDK update usually within two weeks
Security Bulletin published
36. @spoole167
How are Java vulnerabilities discovered?
Oracle/IBM internal development and testing
Details and test code shared on a need to know basis
Exploits never published externally
Third party researchers (white hats)
Issues reported discreetly
Details and exploits disclosed responsibly
Bad guys (black hats)
Exploits published online – bad
Exploits sold in secret – worse
37. @spoole167
What if I discover a vulnerability?
Report it responsibly
Oracle or OpenJDK component (e.g. HotSpot VM, AWT, Net, Plugin)
Report it to Oracle
IBM component (e.g. J9VM, IBM ORB, IBM JCE/JSSE)
Report it to IBM
What you should not do
Don’t shout about it!
Don’t send a mail to an OpenJDK mailing list
Don’t post the details on a forum/blog
Don’t sell it to the bad guys
Don’t worry about apparent lack of severity – always report it
38. @spoole167
How are Java vulnerabilities addressed?
Ideally as quickly as possible, but it depends on
CVSS
Impending disclosure
Resources
In general:
Issues categorised internally
Fixes targeted for a future scheduled regular security release
Fixes may be deferred or brought forward if things change
Extremely urgent issues may trigger an out of cycle release
40. @spoole167
Java’s reputation?
Little focus on security in 1990s and early 2000’s
Whole IT industry, not just Java
Java’s worst year was 2013
Over 160 CVE fixes – 45 in the October 2013 CPU alone
Multiple zero-day vulnerabilities and out-of-cycle releases
HOWEVER, the most widely publicised issues generally did not affect server-side
software
Huge improvement over the last four years
Current levels are approximately 10 CVEs per CPU
42. @spoole167
Attack Vectors – Frequency
69% – Applet/Browser and Untrusted code
13% – Untrusted data
12% – Cryptographic issues
6% – Other
43. @spoole167
Vulnerability applicability
High CVSS is irrelevant if the issue does not apply to you
Java plugin flaws don’t apply to appserver deployments
JAXP issues aren’t relevant if you don’t parse untrusted XML data
Use the Oracle CPU Risk Matrix
Base CVSS scores and vectors
Consider the attack vector for the vulnerability
Oracle Applicability notes
IBM customers: if in doubt, contact IBM Support
IBM Products have detailed applicability information
45. @spoole167
Attack Vectors – Untrusted Code
Code is able to bypass or escape the SecurityManager
Sometimes incorrectly referred to as “client side” issues
Affects any application which runs untrusted code under a security manager
Some server applications do this!
Flaw can be in any component on the classpath
Partial bypass
Exposure of sensitive information – e.g. system property values, heap contents
Arbitrary network connections
Full bypass
Arbitrary code execution and access to operating system
Many server deployments run as root/admin
SecurityManager offers no protection against CPU DoS attacks
Infinite loops
Less of a problem now that unsigned applets are not permitted by default
Applets are deprecated in JDK 9
46. @spoole167
Attack Vectors – Plugin / Web Start
True “client-side” issues
Affect JREs installed as the system default
Exploits can be triggered remotely, usually via a browser
Malicious applet or JNLP file
May involve platform or browser specific components
Installer/updater
Windows Registry entries
Browser callbacks
OS Shell behaviour (command line parsing)
Inappropriate privilege elevation
Applets and browser plugins are deprecated in JDK 9
47. @spoole167
Attack Vectors – Untrusted Data
A Java SE API mishandles a specific type of data
XML, JPG, URLs, Fonts, JARs, Strings
Issues tend to be more severe when the API is implemented natively
Maliciously-crafted data can exploit the bug
DoS – CPU/memory usage, crash
Exposure of sensitive data – arbitrary memory access
Arbitrary code execution – code injection, disabling of SecurityManager
Affects any application which handles the specific data type from untrusted sources
Examples
A server application which allows users to upload images
A server application which accepts SOAP requests
A server application with an XML-based REST API
48. @spoole167
Attack Vectors – Cryptographic Issues
Protocol flaws
Many implementations affected (Java, GSKit, OpenSSL, Browsers)
BEAST, POODLE, SLOTH, Logjam, Bar Mitzvah
Implementation flaws
Specific to Java
No fancy names!
Variable Impact
DoS
Private key exposure
Decryption of encrypted data
49. @spoole167
Attack Vectors – Local
Can only be exploited by a local user
Exposure of sensitive data
E.g. temp files with inappropriate permissions
Code injection
E.g. native code loaded from an unexpected location due to bad LIBPATH
May lead to a remotely exploitable vulnerability
E.g. local user plants malicious code which can be executed remotely
Usually low CVSS due to the access required
50. @spoole167
Deserialization Vulnerabilities
Abuse of the readObject() method of one or more classes
readObject() is invoked before the data is deserialized
Attackers use “gadget chains” in classes on the server’s classpath
Usually a complex set of nested objects which result in a Runtime.exec()
Costly to fix – servers may have multiple copies of the vulnerable code
Applications are vulnerable if they:
Have the vulnerable code on their classpath
Accept untrusted serialized data (this is much more common that you might think!)
Known for years, but came to prominence with problem in Apache Commons remote code
execution
Many products affected – e.g. WebLogic, WebSphere, Tomcat, JBoss, Jenkins
Serialization filtering was added to the Java runtime in January 2017
JEP 290 – Filter Incoming Serialization Data
Allows classes to be whitelisted
52. @spoole167
Example vulnerability
• Infinite loop in java.lang.Double.parseDouble()
• Triggered by the parsing of an obscure value
• 2.2250738585072012e-308
• Bug was reported in 2001
• Spent ten years in a public bug database without the impact being realised
• A researcher rediscovered it, and the significance was realised
• Extremely easy to exploit and inflict a DoS, for example:
• Website running on a Java platform
• Send HTTP requests with headers set to the bad value
• Server’s worker threads are quickly tied up in infinite loops
• Affected all Java releases and a huge number of deployments
• Massive cost to Java Vendors and our customers to produce and apply patches
• CVSS score was only 5.0!
• Good example of how CVSS does not necessarily describe the impact
53. @spoole167
Example vulnerability
• Apache Struts remote code execution
• Mishandling of HTTP request header (i.e. untrusted String data)
• Essentially: untrusted String data passed into Runtime.exec() with no validation (!!!)
• Actual chain of events is complicated and obscure (which is why it wasn’t noticed)
• Trivial to exploit
• Actively exploited in the wild very quickly after patch release
• Severity not clearly communicated
• Easy to scan for vulnerable servers
• Struts is a component in many applications
• Many copies, many versions, many places
• All updates have to be properly tested
• => Massive task to fully patch
54. @spoole167
Example vulnerability – JDWP
• JDWP = Java Debug Wire Protocol
• Disabled by default – enabled with a command line option
• JVM internals can be observed and modified remotely
• No authentication required
• Classes can be changed, code can be injected
• Well-known online banking website
• JDWP enabled on public facing servers (!!!)
• Presumably JDWP was enabled in development/test…
• Found by a researcher after a simple port scan
• Bug bounty => ££££
• Simple fix – disable JDWP!
55. @spoole167
Example vulnerability
Found by a third party researcher who published the details
DLL side-loading vulnerability
Java runtime tries to load libraries from a non-existent folder
Incorrect path is used because a classpath URL is not decoded
A space in the path is encoded as “%20” – C:Program%20Files...
Any user on the system can create a folder with that name
Allows local users to inject code into other users’ Java processes
Privilege escalation if the target user has admin privileges
Once the malicious code is planted, the issue can be exploited remotely via an applet or
Web Start application
Simple fix – decode the URL before using it as a library search path
56. “A vulnerability is a bug which can be exploited by an
attacker”
“A vulnerability is also a feature which can be exploited
by an attacker”
57. “A vulnerability is a bug which can be exploited by an
attacker”
“A vulnerability is also a feature which can be exploited
by an attacker”
“A vulnerability is also a developer aid which can be
exploited by an attacker”
59. Keeping safe: it’s in your hands
Keep current. Every vulnerability fix you apply is one less way in.
Compartmentalise. Separate data, code, access controls etc.
Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your
boat.
Design for intrusion. Review you levels of ‘helpfulness’ and flexibility
Learn about Penetration Testing
Understand that making your development life easier makes the hackers job
easier
60. @spoole167
Reducing Risk
• Keep all Java instances up to date
• Don’t write custom security managers
• Don’t write custom crypto code
• Don’t write custom XML parsers
• Use modern encryption protocols and algorithms
• Be very careful with:
• Untrusted data
• Deserialization (including RMI and JMX)
• JDWP
• Runtime.exec()
• Native code