Author: Brian Vermeer

Brian Vermeer

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

  • How to do password hashing in Java applications the right way!

    There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …

    Brian Vermeer
    Read more
  • Spring4Shell: Zero-Day RCE in Spring Framework Explained

    On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to …

    Brian Vermeer
    Read more
  • Security Warning: Your Java Attack Surface Just Got Bigger

    Learn about common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.

    Brian Vermeer
    Read more
  • Java Logging: What To Log & What Not To Log?

    Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.

    In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.

    Brian Vermeer
    Read more
  • Log4Shell: Critical Log4j RCE Vulnerabilty – Update to Version 2.15.0

    On Dec.10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228 and categorized as Critical with a CVSS score of 10, which is the highest score possible. The vulnerability was discovered by Chen Zhaojun …

    Brian Vermeer
    Read more
  • New Java 17 Features for Improved Security and Serialization

    In December 2020, I wrote the article Serialization and deserialization in Java: explaining the Java deserialize vulnerability about the problems Java has with its custom serialization implementation. The serialization framework is so deeply embedded inside Java that knowing how dangerous some implementation …

    Brian Vermeer
    Read more
  • How Social Trends Help Me Fix Essential Vulnerabilities

    Our research team found a strong correlation between socially trending vulnerabilities and the existence of exploits that can actually harm your application.

    Brian Vermeer
    Read more
  • Discussion: State of Java 2021

    A discussion with some great folks in the Java world about the highlights of the Snyk Java Ecosystem report and current developments in Java.

    Brian Vermeer
    Read more
  • Why You Should Upgrade to Maven Version 3.8.1 Today or Very Soon

    If you are working in the Java ecosystem and building your applications with an older Maven version, this message is for you.

    Check your Maven version by typing mvn -version! If you are still running on an old Maven version like 3.6.3 or below you definitely need to upgrade to version 3.8.1 because of security reasons.

    Be aware that to run Maven 3.8.1, Java 7+ is required.

    Brian Vermeer
    Read more
  • Getting Started with Snyk for Secure Java Development

    If you’re a Java developer who wants to develop your applications more securely, you’ve come to the right place. Snyk can help you with that mission.

    This article explains how to begin with Snyk for secure Java development so you can be more secure from the get-go.

    Brian Vermeer
    Read more
  • New JVM Ecosystem Report 2021 Has Arrived!

    Snyk has just released the annual JVM ecosystem report! This report presents the results of the largest annual survey on the state of the JVM ecosystem.

    This year’s survey is a cooperation between Snyk and Azul and was slightly different from the previous surveys.

    We aimed for the survey to be more concise and focus only on the most important aspects of JVM developers today. Additionally, this year every participant was allowed to choose multiple options. We believe that the way the 2021 survey was designed, we have a better and more comprehensive view of the current JVM ecosystem. In this report, we also looked at different open data sources like GitHub and Google Trends to see how that data compares to the survey results.

    Brian Vermeer
    Read more
  • Java Encryption and Hashing

    If you need to store sensitive data in your system, you have to be sure that you have proper encryption in place.

    First of all, you need to decide what kind of encryption you need —for instance, symmetric or asymmetric.

    Also, you need to choose how secure it needs to be. Stronger encryption takes more time and consumes more CPU.

    The most important part is that you don’t need to implement the encryption algorithms yourself. Encryption is hard and a trusted library solves encryption for you.

    Brian Vermeer
    Read more
  • Sanitize All Input!

    Cross-site scripting (XSS) is a well-known issue and mostly utilized in JavaScript applications.

    However, Java is not immune to this. XSS is nothing more than an injection of JavaScript code that’s executed remotely.

    Rule #0 for preventing XSS, according to OWASP, is “Never insert untrusted data except in allowed locations.”

    The basic solution to this Java security risk is to prevent untrusted data, as much as possible, and sanitize everything else before using the data.

    Brian Vermeer
    Read more
  • Preventing YAML Parsing Vulnerabilities in Java

    YAML is a human-readable language to serialize data that’s commonly used for config files. The word YAML is an acronym for “YAML ain’t a markup language” and was first released in 2001. You can compare YAML to JSON or XML as all of them are text-based structured formats.

    YAML files are often used to configure applications, application servers, or clusters. It is a very common format in Spring Boot applications and, of course, to configure Kubernetes. However, similarly to JSON and XML, you can use YAML to serialize and deserialize data.

    Brian Vermeer
    Read more
  • Fix Java Security Issues While Coding in IntelliJ IDEA

    Nowadays, developers are responsible for more than just creating the application. Besides working on features, developers have to focus on their applications’ maintainability, scalability, reliability, and security. Many developers are unsure of where to start with security. In addition, most companies still work with a dedicated security team instead of having security expertise inside the team.

    A lot of developers practically live in their integrated development environment (IDE). A good IDE is like a swiss army knife: it is your go-to tool to do almost everything. Having everything I need to build, run, test, debug, and secure my application, makes a good IDE invaluable for many developers.

    Brian Vermeer
    Read more
  • 8 Best Practices to Prevent SQL Injection Attacks

    SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database.

    There are different types of SQL injection attacks, but in general, they all have a similar cause. The untrusted data that the user enters is concatenated with the query string. Therefore the user’s input can alter the query’s original intent.

    Brian Vermeer
    Read more
  • Java Ecosystem Survey 2021

    Just like in 2020, Snyk is creating a comprehensive Java 2021 report that reflects the state of the JVM ecosystem.

    Together with our partner Azul, we would like your input on how you use Java and the JVM ecosystem.

    By submitting your answers to this survey, you are not only helping the community by sharing your data, but you can also help our charity goal for this year.

    Brian Vermeer, Geertjan Wielenga
    Read more
  • Secure Code Review Best Practices (Part 2)

    Reviewing someone’s code is hard, specifically when you also have to look at security issues.

    Combining the 4 best practices from part 1 with the best practices in this part already gives you 8 pointers to improve your skills.

    Brian Vermeer
    Read more
  • Secure Code Review Best Practices (Part 1)

    Code reviews are hard to do well. Particularly when you’re not entirely sure about the errors you should be looking for!

    Be sure when you’re reviewing code to understand that all code isn’t written equal! Think also about what lies behind the code that you’re reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isn’t easy to add into a checklist.

    However, using the tips below, alongside your domain knowledge, will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.

    Brian Vermeer
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 2)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Earlier, in part 1, the basics of Java serialization and deserialization were explained and how to tamper with data in serialized objects. In this part, we continue with even more harmful attacks and show you how you can prevent this in your own code.

    Brian Vermeer
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 1)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Brian Vermeer
    Read more

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard