Talk given at ISSA Wisconsin Chapter meeting, Jan 10, 2017.
Abstract:
""Enterprise Java" is a term we hear daily. However, how many of us actually--empirically--know what that represents from a risk, threat, and exposure basis? From the asset(s) it's on and data it accesses to the enterprise at-large that it sits within. This talk will explore the size, scope, and omnipresence of "Enterprise Java" in all its forms; and seek to give it a quantifiable attack surface. This talk will encompass various exemplars of where Enterprise Java appears in the enterprise. From the overt and ubiquitous application servers to the not so overt (but still ubiquitous) use in network appliances and "devices" (IoT) emerging today; and what this means to the threat profiles and attack surfaces of your organization."
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
Â
Talk from ISSA Wisconsin Chapter Event - Jan 8, 2019:
Abstract:
"How do we emerge with a fully functional, stable, and operationally mature secure SDLC in a software development world where the only thing that is now constant, is change? We will look at how we might keep pace with the DevOps culture without losing our security posture in the process by reviewing what can make up a strong pipeline, what is a pipeline, and how we can interleave all the various security stages we've always relied upon (e.g., software composition analysis, static and dynamic testing, manual testing, etc.) in a tiered SLA-driven flow. Finally, we will talk about how we might achieve the levels of operational maturity we've had previously in our security programs, that must now start over in this new discontinuous world."
Cut your Dependencies with - Dependency Injection for South Bay.NET User Grou...Theo Jungeblut
Â
Dependency injection is a design patter with the potential to write cleaner code. Over the lifetime of a product, maintaining the product is actual one - if the the most - expensive areas of the overall product costs. Writing clean code can significantly lower these costs. Writing clean code also makes you more efficient during the initial development time and results in a more stable code base.
In this talk, we will dive into the basics of Inversion of Control (IoC) and Dependency Injection (DI) to review different ways of achieving decoupling. We will explorer best practices, design, and anti-patterns.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Â
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Java application security the hard way - a workshop for the serious developerSteve Poole
Â
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but itâs hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
Â
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
Â
Talk from ISSA Wisconsin Chapter Event - Jan 8, 2019:
Abstract:
"How do we emerge with a fully functional, stable, and operationally mature secure SDLC in a software development world where the only thing that is now constant, is change? We will look at how we might keep pace with the DevOps culture without losing our security posture in the process by reviewing what can make up a strong pipeline, what is a pipeline, and how we can interleave all the various security stages we've always relied upon (e.g., software composition analysis, static and dynamic testing, manual testing, etc.) in a tiered SLA-driven flow. Finally, we will talk about how we might achieve the levels of operational maturity we've had previously in our security programs, that must now start over in this new discontinuous world."
Cut your Dependencies with - Dependency Injection for South Bay.NET User Grou...Theo Jungeblut
Â
Dependency injection is a design patter with the potential to write cleaner code. Over the lifetime of a product, maintaining the product is actual one - if the the most - expensive areas of the overall product costs. Writing clean code can significantly lower these costs. Writing clean code also makes you more efficient during the initial development time and results in a more stable code base.
In this talk, we will dive into the basics of Inversion of Control (IoC) and Dependency Injection (DI) to review different ways of achieving decoupling. We will explorer best practices, design, and anti-patterns.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Â
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Java application security the hard way - a workshop for the serious developerSteve Poole
Â
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but itâs hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
Â
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
Â
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Â
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Â
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
Â
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attackerâ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
Â
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Â
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
Â
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
Â
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training-advanced-malware-analysis.php
Malware threats are the current and critical cyber security concern around the world. Every single day, many companies are stroke by digital threats through malicious documents or phishing, having their systems infected and causing a huge loss of money. Indeed, ransomware represent a serious problem, but they are visible threats. In the other side, rootkits and bootkits are really lethal because they infect and work under the radar, circumvent the usual defenses, take the system control and, mainly, steal valuable information. The question is: how can we fight against an enemy that we can't see? This presentation aims to explain some details about malware attack and protections.
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
Â
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Â
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Â
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
Â
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attackerâ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
Â
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Â
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
Â
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
Â
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training-advanced-malware-analysis.php
Malware threats are the current and critical cyber security concern around the world. Every single day, many companies are stroke by digital threats through malicious documents or phishing, having their systems infected and causing a huge loss of money. Indeed, ransomware represent a serious problem, but they are visible threats. In the other side, rootkits and bootkits are really lethal because they infect and work under the radar, circumvent the usual defenses, take the system control and, mainly, steal valuable information. The question is: how can we fight against an enemy that we can't see? This presentation aims to explain some details about malware attack and protections.
Java Tutorial or Core Java Tutorial or Java Programming Tutorial is a widely used robust technology. Let's start learning Java from basic questions like what is Java tutorial, Core Java, where it is used, what type of applications are created in Java, why use java and Java platforms etc. Our Java tutorial helps you to learn Java with easy and simple examples.
Java is one of the most popular Object Oriented Programming language that is available in the IT market for than 20 years now. There are many open sourced products, projects and API's that run on JAVA technology. Since it is platform independent, It is always a popular choice for developers. Some of the advantages of Java includes it is easy to learn, it is object oriented, it is platform - independent, it is secure, robust and multi threaded. You can learn Java practically with us, because we are one of the best Java and J2ee training center in Chennai. Besides knowledge on Java is an great advantage if you want to learn android app development, Hadoop development, Selenium Web driver etc.. Besides Java developer positions are highly lucrative for freshers as well as experienced professionals. We are recognized as the Best Java and J2ee training center in Chennai because we collaborate with industry professionals to deliver the course.
http://www.metaforumtechnologies.com/training-courses/java-courses/java-j2ee-training-in-chennai
http://www.metaforumtechnologies.com/training-courses/java-courses/java-j2ee-training-in-chennai
This is a seminar given by P. Nikhil (me) of Government Arts College, Rajahmundry.
This document contains Java and its features.
There is a wide range in usage of Java around the World .
Hope this document helps anyone who's interested in it.
Thank You
Introduction to Java: History, Versioning, The Java Virtual Machine, Byte code, Writing simple
java program, Language Components: Primitive Data Types, Comments, Keywords, literals, The
break Statement, The continue Statement, Operators â Casts and Conversions, Arrays. Introduction
to classes and methods, constructors, Passing Objects to Methods, Method Overloading, Static and
final, The this Reference, finalize, inner and nested classes. Inheriting class, extends, member
access and inheritance, super keyword, Object class. Dynamic method dispatch, method overriding,
abstract class, interface, packages, import statement
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
Â
This talk "What is the secure software supply chain and the current state of the PHP ecosystem" discusses the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
The project Remote Web Desk deals with remote control of computer over some form of network usually a LAN or the Internet. It allows friend or an administrator to fix problem on your computer or you can use it to show your desk top to somebody at a remote location
A Java compiler is a compiler for the development terminology Java. The most frequent way of outcome from a Java compiler is Java category data files containing platform-neutral Java bytecode,
Similar to Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses (20)
Need for Speed: Removing speed bumps from your Symfony projects âĄïžĆukasz ChruĆciel
Â
No one wants their application to drag like a car stuck in the slow lane! Yet itâs all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. Weâll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
AI Pilot Review: The Worldâs First Virtual Assistant Marketing SuiteGoogle
Â
AI Pilot Review: The Worldâs First Virtual Assistant Marketing Suite
đđ Click Here To Get More Info đđ
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
â Deploy AI expert bots in Any Niche With Just A Click
â With one keyword, generate complete funnels, websites, landing pages, and more.
â More than 85 AI features are included in the AI pilot.
â No setup or configuration; use your voice (like Siri) to do whatever you want.
â You Can Use AI Pilot To Create your version of AI Pilot And Charge People For ItâŠ
â ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
â ZERO Limits On Features Or Usages
â Use Our AI-powered Traffic To Get Hundreds Of Customers
â No Complicated Setup: Get Up And Running In 2 Minutes
â 99.99% Up-Time Guaranteed
â 30 Days Money-Back Guarantee
â ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
AI Genie Review: Worldâs First Open AI WordPress Website CreatorGoogle
Â
AI Genie Review: Worldâs First Open AI WordPress Website Creator
đđ Click Here To Get More Info đđ
https://sumonreview.com/ai-genie-review
AI Genie Review: Key Features
â Creates Limitless Real-Time Unique Content, auto-publishing Posts, Pages & Images directly from Chat GPT & Open AI on WordPress in any Niche
â First & Only Google Bard Approved Software That Publishes 100% Original, SEO Friendly Content using Open AI
â Publish Automated Posts and Pages using AI Genie directly on Your website
â 50 DFY Websites Included Without Adding Any Images, Content Or Doing Anything Yourself
â Integrated Chat GPT Bot gives Instant Answers on Your Website to Visitors
â Just Enter the title, and your Content for Pages and Posts will be ready on your website
â Automatically insert visually appealing images into posts based on keywords and titles.
â Choose the temperature of the content and control its randomness.
â Control the length of the content to be generated.
â Never Worry About Paying Huge Money Monthly To Top Content Creation Platforms
â 100% Easy-to-Use, Newbie-Friendly Technology
â 30-Days Money-Back Guarantee
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIGenieApp #AIGenieBonus #AIGenieBonuses #AIGenieDemo #AIGenieDownload #AIGenieLegit #AIGenieLiveDemo #AIGenieOTO #AIGeniePreview #AIGenieReview #AIGenieReviewandBonus #AIGenieScamorLegit #AIGenieSoftware #AIGenieUpgrades #AIGenieUpsells #HowDoesAlGenie #HowtoBuyAIGenie #HowtoMakeMoneywithAIGenie #MakeMoneyOnline #MakeMoneywithAIGenie
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
Â
In this second installment of our Essentials of Automations webinar series, weâll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
Weâll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether youâre tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Letâs turn complexity into clarity and make your workspaces work wonders!
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
RequirementâââCollecting the Requirements is the first Phase in the SSLC process.
Feasibility Studyâââafter completing the requirement process they move to the design phase.
Designâââin this phase, they start designing the software.
Codingâââwhen designing is completed, the developers start coding for the software.
Testingâââin this phase when the coding of the software is done the testing team will start testing.
Installationâââafter completion of testing, the application opens to the live server and launches!
Maintenanceâââafter completing the software development, customers start using the software.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Â
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Â
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges â from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
Â
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Â
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
Â
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Fundamentals of Programming and Language Processors
Â
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
1. ENTERPRISE JAVA
Just What Is It and
the Risks, Threats, and Exposures
It Poses
By Alex Senkevitch, CISSP, CISM
Milwaukee Chapter
Meeting
10 Jan 2017
2. i
WHATâS IN STORE
1.0 Background (this stuff)
2.0 Facets of an Attack Surface
2.1 The Java Programming Language
2.2 Application Containers
2.3 Container Extensions
2.4 Third-Party Frameworks and Libraries
3.0 Where Are the Wild Things?
4.0 Q&A
3. i
YOUR SPEAKER TODAY ISâŠ
Alex Senkevitch, CISSP, CISM
o Working in security research and architecture in Fortune 500/Global
2000 for 20 years
o Worked in embedded systems and network engineering before that
o Have patents in multi-tiered security and event analytics systems
o Have multiple reported CVEs in Enterprise Java architectures; and
o Routinely continue find 0-days on an ongoing basis (for clients)
o Primary research interests are in data manipulation and âfullâ application
stacks, specifically Java and node.js stacks
6. i
SO HOW COMPLEX IS ENTERPRISE JAVA ANYWAY?
o âEnterprise Javaâ is:
o A programming language
o A virtual machine
o A container
o A container
o A container
o Vendor container extensions
o Industry container extensions
o Third-party frameworks
o Third-party libraries
Aggregate Attack Surface
7. FACETS OF AN ATTACK SURFACE
2.1
The Java Programming
Language
8. i
WHATâS IN A LANGUAGE
o Initially started in 1991 (called Oak), for an âinteractive televisionâ project @ Sun Microsystems
o First public preview (1.0) in 1995, called Java (after the coffee)
o Abstracted from the hardware (âmachine codeâ) via âbyte-codeâ model
o Sunâs initial claim: Apps could be â100% Javaâ (no native code needed)
o Had five (5) design goals for the language, one of which was very interestingâŠ
 Goal #2: â1.2.2: Robust and Secureâ (http://www.oracle.com/technetwork/java/intro-141325.html#367):
âJava technology is designed to operate in distributed environments, which means that security is of paramount
importance. With security features designed into the language and run-time system, Java technology lets you construct
applications that can't be invaded from outside. In the network environment, applications written in the Java
programming language are secure from intrusion by unauthorized code attempting to get behind the scenes and
create viruses or invade file systems.
 âThe best laid schemes oâ Mice anâ MenâŠâ âRobert Burns (More on this to followâŠ)
9. i
JDK8
CODEBASE COMPLEXITY
Java 8 represents a ~1,900% increase
in API size and complexity since JDK1.0
âŠand that doesnât include any third-party
code
(source: Java 8 Pocket Guide book by Robert Liguori, Patricia Liguori)
1.0
10. i
HOW A LANGUAGE GETS EXECUTED
Once compiled to byte-code (i.e., the Java
opcodes), a virtual machine is needed to
process it
The class files (compiled byte-code) are fed in
They are parse and processed through to
The Execution Engine
The Execution Engine then interfaces with the
underlying OS
11. i
WHEN 100% IS MORE LIKE 82%
o The Java Platform is 100%, well, Java codeâŠright?
o Remember the JVMâs âExecution Engineâ
o It passes off anything that the Java APIs canât do within the JVM itself to the Native Method Interface
o Like: file system access, network access, security management, etc.
o So, what does that mean to me?
o When byte-code language A doesnât match native language Bâs structure and alignmentâŠ
o Language primitive mismatch bypasses (e.g., NUL byte bypasses)
o Encoding bypasses (e.g., Overlong UTF-8 bypass)
NOPE!
12. i
GOAL #2: JAVA IS SECURE BY DEFAULTâŠRIGHT?
o Itâs secure because goal #2 says so, right?
o Unfortunately, no.
o The Java Platform shows security wasnât the primary design focus:
o Limited to no bounds checking
o ZipEntry class allows relative (â../â) paths
o String concatenation of parametric constructors
o The parametric URI class constructors concatenate supplied parameter values
o Weak XML processor behavior by default
o Most packaged XML parsers allow inline DTD processing by default (e.g., DocumentBuilderFactory)
13. i
THE JAVA COMMUNITY PROCESS (JCP)
Created by Sun Microsystems because they didnât want to work with international
standards organizations (e.g., ISO)
The means by which additional functionality is introduced to the Java Platform
This is done by means of Java Specification Requests (JSR)
A JSR can be for something as small as a modified time format
Or as large as a a whole new container extension (e.g., the Portlet API, JSR 186 &
286)
14. i
UNDER THE HOOD: OBJECT SERIALIZATION
Java Serialization is Sunâs solution to the Marshalling/Unmarshalling problem in
Object Oriented Programming
Marshalling converts an object from its resident format in memory, to a serialized
(linear binary) format suitable to transmitting or storing
Unmarshalling is the reverse
Exposure:
 Once marshalled, all protections of the JVM and language specification are removed
 If used as form input, thereâs no way to validate the input without processing it first (unmarshalling)
 There are very limited restrictions that can be put on remote requests to marshall objects
15. i
UNDER THE HOOD: THE RMI API
Remote Method Invocation (RMI) API
Initially released in JDK 1.1 (Feb 1997)
Was Sunâs answer to Remote Procedure Calls (RPCs) in conventional systems
Initially only allowed communications from JVM to JVM
 This manner of communications is called the Java Remote Method Protocol (JRMP)
 It is the default transport protocol for RMI
Was later adapted to use CORBA to allow JVM to non-JVM communications
 This manner of communication is called RMI over IIOP (RMI-IIOP)
 This is used broadly by large commercial Enterprise Java containers
Between these two milestones, some vendors introduced their own proprietary protocols
 WebLogicâs âT3â protocolâwhich is hard-wired into WebLogic to this day
16. FACETS OF AN ATTACK SURFACE 2.2
Application Containers
17. i
STATS 101: WHATâS IN USE THESE DAYS
(source:
Java
Tools
and
Technologies
Landscape
2016;
RebelLabs)
o Majority are using open source
o Majority are using a âlightweightâ
footprint
o For commercial products, dev
deployments != production
18. i
CONTAINER (IN)SECURITY
Apache Tomcat became the de facto reference implementation
With that, also came all of its bad designs and configurations:
 The âAutoDeployerâ functionality
 Ability to access the application ClassLoader via web deployment configurations
 The InvokerServlet (for objects, EJBs, etc.)
 Has been adopted, in some form, by every commercial container incorporating Tomcat
 Implied trust in the instrumentation implementation
 Java Management Extensions (JMX) using Management Beans (MBeans) over insecure RMI servers
 Tunneling of RMI, JMX, and other protocols in-band to HTTP
19. FACETS OF AN ATTACK SURFACE 2.3
Container Extensions
20. i
THERE ARE EXTENSIONS?!
Vendor extensions
IBM WebSphere
BEA/Oracle WebLogic
Oracle JBoss/WildFly
Industry extensions
OASIS
Eclipse Foundation
OSGi Alliance
JCP Extensions
JSR 186 & 286 â The Portlet API â Introduced the notion of a new container type: the Portal Server
21. FACETS OF AN ATTACK SURFACE
2.4
Third-Party Frameworks and
Libraries
22. i
TAXONOMY OF A FRAMEWORK OR LIBRARY
o Basically, anything not covered by the language, core APIs, or Java EE APIs
o âEnterpriseâ frameworks were rolled out before J2EE was
o Itâs the reason J2EE came about
o They are unregulated relative to each other, or the core APIs
o The vast majority of code each framework or library introducesâŠis unused by the
application importing them!
o âI just need a template engine for my formsâŠmaybe something with domain/range validationâ
o The majority of an applicationâs deployed size is from third-party code
o Increased size == increased risks, threats, and exposures
23. i
WHATâS IN USE TODAY
o Spring wins!
o But we see unmaintained
frameworks still in use (7% Struts)
(source:
Java
Tools
and
Technologies
Landscape
2016;
RebelLabs)
24. i
HOW BAD COULD IT BE?
Spring â remote code execution
Struts 1.x â remote arbitrary classloader access
Struts 2.x â remote arbitrary classloader access
Apache Jakarta Commons â remote code execution via Java serialization
manipulation
25. LIVE FIRE EXERCISES (DEMO)
Image: US Marines assigned to Mike
Battery, 4th Battalion, 14th Marines - 2004
27. i
WHERE THEY LIVE
Overt Locations
Application Servers
Big Data servers
Android OS (Dalvik JVM)
Desktops
Covert Locations
Network applications
 Most âblack boxâ application servers
 Mail gateways, SIP servers, etc.
Consumer devices (your new fridge)
 IoT devices
 Set-top boxes
 SIP handsets
Database Engines
 RDBMS SQL/J implementations