Author: Brian Vermeer

Avatar
Brian Vermeer

Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, Utrecht JUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences

  • Preventing YAML Parsing Vulnerabilities in Java

    YAML is a human-readable language to serialize data that’s commonly used for config files. The word YAML is an acronym for “YAML ain’t a markup language” and was first released in 2001. You can compare YAML to JSON or XML as all of them are text-based structured formats.

    YAML files are often used to configure applications, application servers, or clusters. It is a very common format in Spring Boot applications and, of course, to configure Kubernetes. However, similarly to JSON and XML, you can use YAML to serialize and deserialize data.

    Avatar
    B. Vermeer
    Read more
  • Fix Java Security Issues While Coding in IntelliJ IDEA

    Nowadays, developers are responsible for more than just creating the application. Besides working on features, developers have to focus on their applications’ maintainability, scalability, reliability, and security. Many developers are unsure of where to start with security. In addition, most companies still work with a dedicated security team instead of having security expertise inside the team.

    A lot of developers practically live in their integrated development environment (IDE). A good IDE is like a swiss army knife: it is your go-to tool to do almost everything. Having everything I need to build, run, test, debug, and secure my application, makes a good IDE invaluable for many developers.

    Avatar
    B. Vermeer
    Read more
  • 8 Best Practices to Prevent SQL Injection Attacks

    SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database.

    There are different types of SQL injection attacks, but in general, they all have a similar cause. The untrusted data that the user enters is concatenated with the query string. Therefore the user’s input can alter the query’s original intent.

    Avatar
    B. Vermeer
    Read more
  • Java Ecosystem Survey 2021

    Just like in 2020, Snyk is creating a comprehensive Java 2021 report that reflects the state of the JVM ecosystem.

    Together with our partner Azul, we would like your input on how you use Java and the JVM ecosystem.

    By submitting your answers to this survey, you are not only helping the community by sharing your data, but you can also help our charity goal for this year.

    Avatar
    Avatar
    B. Vermeer , G. Wielenga
    Read more
  • Secure Code Review Best Practices (Part 2)

    Reviewing someone’s code is hard, specifically when you also have to look at security issues.

    Combining the 4 best practices from part 1 with the best practices in this part already gives you 8 pointers to improve your skills.

    Avatar
    B. Vermeer
    Read more
  • Secure Code Review Best Practices (Part 1)

    Code reviews are hard to do well. Particularly when you’re not entirely sure about the errors you should be looking for!

    Be sure when you’re reviewing code to understand that all code isn’t written equal! Think also about what lies behind the code that you’re reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isn’t easy to add into a checklist.

    However, using the tips below, alongside your domain knowledge, will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.

    Avatar
    B. Vermeer
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 2)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Earlier, in part 1, the basics of Java serialization and deserialization were explained and how to tamper with data in serialized objects. In this part, we continue with even more harmful attacks and show you how you can prevent this in your own code.

    Avatar
    B. Vermeer
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 1)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Avatar
    B. Vermeer
    Read more
  • Hacking Java XML Input via External Entity Injection

    Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

    In the video, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed.

    I also show you how you can solve this in your Java code in multiple ways.

    Avatar
    B. Vermeer
    Read more
  • 5 Tips to Create Secure Docker Images for Java Applications

    Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images. This is very convenient as you can use these images from Docker Hub to quickly build an image for your Java application.

    However, the naive way of creating custom Docker images for your Java applications comes with many security concerns. So, how do we make security an essential part of Docker images for Java?

    Avatar
    B. Vermeer
    Read more
  • Minimizing Security Risks in Java Application Development

    United by their passion for open source, Payara and IBM recently teamed up for a panel discussion on security in Java application development.

    Security is something that is considered extremely important, however, it is not always something that is a priority for many development teams. The main question is—how to minimize security risks while developing Java applications.

    In this panel discussion, our experts addressed a variety of topics related to secure application development. Most of the topics were introduced by questions from the audience.

    Avatar
    B. Vermeer
    Read more

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard