Security

Best Practices for Managing Java Dependencies

Knowing how to select, update, and remove Java dependencies from our application is essential for security.

Controlling your Server with a Reverse Shell Attack

The last thing you need for your happily deployed application is someone to take over your system and fully control it!

Learning by Auditing Kubernetes Manifests

Find out about Checkov, which scans cloud infrastructure configurations to find misconfigurations before they’re deployed.

Exploring CVE-2022-33980: The Apache Commons Configuration RCE Vulnerability

Before we dive into the details of this vulnerability, we want to make it clear that there’s no need for panic!

Building Secure CI/CD Pipelines with GitHub Actions for Your Java Application

Learn how to integrate Snyk into your GitHub CI/CD to automate security scanning as part of your build cycle prior to production.

How to Secure Your Web Apps With An API Gateway

When header values depend on the underlying web app, we need to reload the configuration without downtime and Continuous Deployment pipeline integration.

Deserialization Exploits in Java: Why Should I care?

Deserialization vulnerabilities work natively in Java and how attack chains are created. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well. This talk shows some pointers on how to mitigate these problems in your own applications.

How to do password hashing in Java applications the right way!

There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …

Does Java 18 Finally Have A Better Alternative To JNI?

Java 18, released last month, includes the 2nd incubator of the Foreign Function & Memory API (FFI). Let’s look at the state of the Java FFI.

Spring4Shell: Zero-Day RCE in Spring Framework Explained

On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to …

Spring Remote Code Execution Vulnerability

I’d like to start by saying that I’m not a security expert. I also won’t link to the exploit. This is a very fresh take on a new vulnerability but there’s already confirmation from Sonatype. The current exploit seems to …

Quick Fire Java: Java After Log4j

Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.

Java Security: Log4J, the SecurityManager, and Funding

A demonstration of log4j exploits, which defenses people tried, and which worked. A look at open source funding models, subscriptions, and bug bounty programs to see why it’s sometimes hard to donate.

Security Warning: Your Java Attack Surface Just Got Bigger

Learn about common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.

Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun

Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!

Treat Security as a Risk

Security is the poster child of a Non-Functional Requirement: most people don’t care until the proverbial matter hits the rotary propeller.

The State of Java in 2022

While more than 26 years old, Java is still one of the top three most popular programming languages.

You’re Running Untrusted Code!

I’m afraid the deprecation of the Security Manager just added several lines to that risk, all linked to running untrusted code.

Log4Shell Shows The Need for “Trustworthy Java”

I think the Java community handled this crisis poorly and needs to do much better next time. What do you think?

Java Logging: What To Log & What Not To Log?

Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.

In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.

Log4Shell / Leak4J

Over the last couple of days (and nights) I’ve been studying the new (extremely dangerous) vulnerability in log4j2 called Log4Shell.