Security

Avatar
Community manager Brian Vermeer

Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, Utrecht JUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences

  • Java Logging: What To Log & What Not To Log?

    Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.

    In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.

    Avatar
    Brian Vermeer
  • Use Query Parameterization to Prevent Injection

    When looking at a typical SQL injection in Java, the parameters of a sequel query are naively concatenated to the static part of the query. The following is an unsafe execution of SQL in Java, which can be used by an attacker to gain more information than otherwise intended.

    To prevent this in Java, we should parameterize the queries by using a prepared statement. This should be the only way to create database queries. By defining the full SQL code and passing in the parameters to the query later, the code is easier to understand. Most importantly, by distinguishing between the SQL code and the parameter data, the query can’t be hijacked by malicious input.

    Avatar
    Brian Vermeer
  • Avoid Java Serialization!

    Serialization in Java allows us to transform an object to a byte stream. This byte stream is either saved to disk or transported to another system. The other way around, a byte stream can be deserialized and allows us to recreate the original object.

    If you need to Deserialize an inputstream yourself, you should use an ObjectsInputStream with restrictions. A nice example of this is the ValidatingObjectInputStream from Apache Commons IO. This ObjectInputStream checks whether the object that is deserialized, is allowed or not.

    Avatar
    Brian Vermeer
  • How to Configure Your Java XML Parsers to Prevent XXE Attacks

    With XML eXternal Entity (XXE) enabled, it is possible to create a malicious XML, as shown below, and read the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities. Java XML libraries are particularly vulnerable to XXE injection because most XML parsers have external entities by default enabled.

    Changing the default settings of the DefaultHandler and the Java SAX parser to disallow external entities and doctypes for xerces1 or xerces2, respectively, prevents these kinds of attacks.

    Avatar
    Brian Vermeer
  • Securing Microservices with Auth0 and MicroProfile in Kubernetes

    In this day and age, securing enterprise platforms is a challenge that developers and consultants tackle in an uninformed manner, producing subpar solutions in most cases.

    This presentation by Ondrej Mihalyi at DevOpsCon showcases the strength of combining MicroProfile and an OAuth service by doing a live demonstration of securing enterprise Java microservices in Kubernetes.

    Jadon Ortlepp
    Jadon Ortlepp
  • Fixing Vulnerabilities in Maven Projects

    Maven is still the most used build system in the Java ecosystem. According to the JVM report 2020, Maven is the number one build tool in the ecosystem with two-thirds of the share.

    Therefore, it is important to now how Maven works. For instance, if you find vulnerabilities in your Maven project using Snyk, how can you fix them?

    Avatar
    Brian Vermeer
  • Java: Where the Wild Code Isn’t

    In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.

    Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.

    Erik Costlow
    Erik Costlow
  • foojay: A Place for Friends of OpenJDK

    It’s exciting to have foojay as a place to provide information to everyday Java developers and to work collaboratively on evolving foojay content to provide commentaries on the latest Java developments.

    We’re actively looking for highly skilled and knowledgeable Java developers to join us (we are even hiring for that purpose) and our aim is for foojay to increasingly become a place of sharing reference materials and discussion throughout the Java industry.

    Avatar
    Geertjan Wielenga

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard