Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.
If you are working in the Java ecosystem and building your applications with an older Maven version, this message is for you.
Check your Maven version by typing mvn -version! If you are still running on an old Maven version like 3.6.3 or below you definitely need to upgrade to version 3.8.1 because of security reasons.
Be aware that to run Maven 3.8.1, Java 7+ is required.Brian Vermeer
If you’re a Java developer who wants to develop your applications more securely, you’ve come to the right place. Snyk can help you with that mission.
This article explains how to begin with Snyk for secure Java development so you can be more secure from the get-go.Brian Vermeer
Snyk has just released the annual JVM ecosystem report! This report presents the results of the largest annual survey on the state of the JVM ecosystem.
This year’s survey is a cooperation between Snyk and Azul and was slightly different from the previous surveys.
We aimed for the survey to be more concise and focus only on the most important aspects of JVM developers today. Additionally, this year every participant was allowed to choose multiple options. We believe that the way the 2021 survey was designed, we have a better and more comprehensive view of the current JVM ecosystem. In this report, we also looked at different open data sources like GitHub and Google Trends to see how that data compares to the survey results.Brian Vermeer
If you need to store sensitive data in your system, you have to be sure that you have proper encryption in place.
First of all, you need to decide what kind of encryption you need —for instance, symmetric or asymmetric.
Also, you need to choose how secure it needs to be. Stronger encryption takes more time and consumes more CPU.
The most important part is that you don’t need to implement the encryption algorithms yourself. Encryption is hard and a trusted library solves encryption for you.Brian Vermeer
Rule #0 for preventing XSS, according to OWASP, is “Never insert untrusted data except in allowed locations.”
The basic solution to this Java security risk is to prevent untrusted data, as much as possible, and sanitize everything else before using the data.Brian Vermeer
YAML is a human-readable language to serialize data that’s commonly used for config files. The word YAML is an acronym for “YAML ain’t a markup language” and was first released in 2001. You can compare YAML to JSON or XML as all of them are text-based structured formats.
YAML files are often used to configure applications, application servers, or clusters. It is a very common format in Spring Boot applications and, of course, to configure Kubernetes. However, similarly to JSON and XML, you can use YAML to serialize and deserialize data.Brian Vermeer
Nowadays, developers are responsible for more than just creating the application. Besides working on features, developers have to focus on their applications’ maintainability, scalability, reliability, and security. Many developers are unsure of where to start with security. In addition, most companies still work with a dedicated security team instead of having security expertise inside the team.
A lot of developers practically live in their integrated development environment (IDE). A good IDE is like a swiss army knife: it is your go-to tool to do almost everything. Having everything I need to build, run, test, debug, and secure my application, makes a good IDE invaluable for many developers.Brian Vermeer
SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database.
There are different types of SQL injection attacks, but in general, they all have a similar cause. The untrusted data that the user enters is concatenated with the query string. Therefore the user’s input can alter the query’s original intent.Brian Vermeer
Just like in 2020, Snyk is creating a comprehensive Java 2021 report that reflects the state of the JVM ecosystem.
Together with our partner Azul, we would like your input on how you use Java and the JVM ecosystem.
By submitting your answers to this survey, you are not only helping the community by sharing your data, but you can also help our charity goal for this year.
Reviewing someone’s code is hard, specifically when you also have to look at security issues.
Combining the 4 best practices from part 1 with the best practices in this part already gives you 8 pointers to improve your skills.Brian Vermeer
Code reviews are hard to do well. Particularly when you’re not entirely sure about the errors you should be looking for!
Be sure when you’re reviewing code to understand that all code isn’t written equal! Think also about what lies behind the code that you’re reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isn’t easy to add into a checklist.
However, using the tips below, alongside your domain knowledge, will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.Brian Vermeer