Author: Brian Vermeer

Avatar
Brian Vermeer

Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, Utrecht JUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences

  • Java Ecosystem Survey 2021

    Just like in 2020, Snyk is creating a comprehensive Java 2021 report that reflects the state of the JVM ecosystem.

    Together with our partner Azul, we would like your input on how you use Java and the JVM ecosystem.

    By submitting your answers to this survey, you are not only helping the community by sharing your data, but you can also help our charity goal for this year.

    Avatar
    Avatar
    B. Vermeer , G. Wielenga
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 2)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Earlier, in part 1, the basics of Java serialization and deserialization were explained and how to tamper with data in serialized objects. In this part, we continue with even more harmful attacks and show you how you can prevent this in your own code.

    Avatar
    B. Vermeer
    Read more
  • Explaining Java Deserialization Vulnerabilities (Part 1)

    Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

    Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

    Avatar
    B. Vermeer
    Read more
  • Hacking Java XML Input via External Entity Injection

    Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

    In the video, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed.

    I also show you how you can solve this in your Java code in multiple ways.

    Avatar
    B. Vermeer
    Read more
  • 5 Tips to Create Secure Docker Images for Java Applications

    Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images. This is very convenient as you can use these images from Docker Hub to quickly build an image for your Java application.

    However, the naive way of creating custom Docker images for your Java applications comes with many security concerns. So, how do we make security an essential part of Docker images for Java?

    Avatar
    B. Vermeer
    Read more
  • Minimizing Security Risks in Java Application Development

    United by their passion for open source, Payara and IBM recently teamed up for a panel discussion on security in Java application development.

    Security is something that is considered extremely important, however, it is not always something that is a priority for many development teams. The main question is—how to minimize security risks while developing Java applications.

    In this panel discussion, our experts addressed a variety of topics related to secure application development. Most of the topics were introduced by questions from the audience.

    Avatar
    B. Vermeer
    Read more
  • Java Logging: What To Log & What Not To Log?

    Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.

    In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.

    Avatar
    B. Vermeer
    Read more
  • Use Query Parameterization to Prevent Injection

    When looking at a typical SQL injection in Java, the parameters of a sequel query are naively concatenated to the static part of the query. The following is an unsafe execution of SQL in Java, which can be used by an attacker to gain more information than otherwise intended.

    To prevent this in Java, we should parameterize the queries by using a prepared statement. This should be the only way to create database queries. By defining the full SQL code and passing in the parameters to the query later, the code is easier to understand. Most importantly, by distinguishing between the SQL code and the parameter data, the query can’t be hijacked by malicious input.

    Avatar
    B. Vermeer
    Read more
  • Avoid Java Serialization!

    Serialization in Java allows us to transform an object to a byte stream. This byte stream is either saved to disk or transported to another system. The other way around, a byte stream can be deserialized and allows us to recreate the original object.

    If you need to Deserialize an inputstream yourself, you should use an ObjectsInputStream with restrictions. A nice example of this is the ValidatingObjectInputStream from Apache Commons IO. This ObjectInputStream checks whether the object that is deserialized, is allowed or not.

    Avatar
    B. Vermeer
    Read more
  • How to Configure Your Java XML Parsers to Prevent XXE Attacks

    With XML eXternal Entity (XXE) enabled, it is possible to create a malicious XML, as shown below, and read the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities. Java XML libraries are particularly vulnerable to XXE injection because most XML parsers have external entities by default enabled.

    Changing the default settings of the DefaultHandler and the Java SAX parser to disallow external entities and doctypes for xerces1 or xerces2, respectively, prevents these kinds of attacks.

    Avatar
    B. Vermeer
    Read more
  • Fixing Vulnerabilities in Maven Projects

    Maven is still the most used build system in the Java ecosystem. According to the JVM report 2020, Maven is the number one build tool in the ecosystem with two-thirds of the share.

    Therefore, it is important to now how Maven works. For instance, if you find vulnerabilities in your Maven project using Snyk, how can you fix them?

    Avatar
    B. Vermeer
    Read more

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard