Security
Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.
-
- Security
How to do password hashing in Java applications the right way!
There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …
-
- Getting Started
- Performance
- Security
Does Java 18 Finally Have A Better Alternative To JNI?
Java 18, released last month, includes the 2nd incubator of the Foreign Function & Memory API (FFI). Let’s look at the state of the Java FFI.
-
- Security
- Spring
Spring4Shell: Zero-Day RCE in Spring Framework Explained
On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to …
-
- Security
- Spring
- Uncategorized
Spring Remote Code Execution Vulnerability
I’d like to start by saying that I’m not a security expert. I also won’t link to the exploit. This is a very fresh take on a new vulnerability but there’s already confirmation from Sonatype. The current exploit seems to …
-
Quick Fire Java: Java After Log4j
Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.
-
- Getting Started
- Security
- Videos
Java Security: Log4J, the SecurityManager, and Funding
A demonstration of log4j exploits, which defenses people tried, and which worked. A look at open source funding models, subscriptions, and bug bounty programs to see why it’s sometimes hard to donate.
-
- Security
- Videos
Security Warning: Your Java Attack Surface Just Got Bigger
Learn about common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.
-
- Security
Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun
Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!
-
- Security
Treat Security as a Risk
Security is the poster child of a Non-Functional Requirement: most people don’t care until the proverbial matter hits the rotary propeller.
-
The State of Java in 2022
While more than 26 years old, Java is still one of the top three most popular programming languages.
-
- JEPs
- Security
You’re Running Untrusted Code!
I’m afraid the deprecation of the Security Manager just added several lines to that risk, all linked to running untrusted code.
-
- Security
Log4Shell Shows The Need for “Trustworthy Java”
I think the Java community handled this crisis poorly and needs to do much better next time. What do you think?
-
- Security
Java Logging: What To Log & What Not To Log?
Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.
In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.
-
- Security
Log4Shell / Leak4J
Over the last couple of days (and nights) I’ve been studying the new (extremely dangerous) vulnerability in log4j2 called Log4Shell.
-
- Security
Log4j2 Isn’t Killing Java
Java developers typically choose from several logging systems or facades. Many of these logging frameworks have grown to work together over the years.
-
- Security
Log4Shell: Critical Log4j RCE Vulnerabilty – Update to Version 2.15.0
On Dec.10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228 and categorized as Critical with a CVSS score of 10, which is the highest score possible. The vulnerability was discovered by Chen Zhaojun …
-
- JEPs
- Security
New Java 17 Features for Improved Security and Serialization
In December 2020, I wrote the article Serialization and deserialization in Java: explaining the Java deserialize vulnerability about the problems Java has with its custom serialization implementation. The serialization framework is so deeply embedded inside Java that knowing how dangerous some implementation …
-
- Security
- Snyk
How Social Trends Help Me Fix Essential Vulnerabilities
Our research team found a strong correlation between socially trending vulnerabilities and the existence of exploits that can actually harm your application.
-
- DevOps
- Security
PSA: The Risks of Remote JDWP Debugging
Java Debug Wire Protocol (a.k.a. JDWP) was designed for testing internally. Opening it to production is a HUGE security and stability risk…
-
- Security
Java: Where the Wild Code Isn’t
In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.
Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.
-
- DevOps
- JFrog Artifactory
- JFrog Xray
- Security
- Videos
SolarWinds Hack And The Executive Order Of Cybersecurity: What Does This Mean For Us?
In the past two years, we have had to learn a lot about cybersecurity. New attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general.
But what does that mean for us? What can be done about it, and what reactions have the state already taken?