Security

How to do password hashing in Java applications the right way!

There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …

Does Java 18 Finally Have A Better Alternative To JNI?

Java 18, released last month, includes the 2nd incubator of the Foreign Function & Memory API (FFI). Let’s look at the state of the Java FFI.

Spring4Shell: Zero-Day RCE in Spring Framework Explained

On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to …

Spring Remote Code Execution Vulnerability

I’d like to start by saying that I’m not a security expert. I also won’t link to the exploit. This is a very fresh take on a new vulnerability but there’s already confirmation from Sonatype. The current exploit seems to …

Quick Fire Java: Java After Log4j

Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.

Java Security: Log4J, the SecurityManager, and Funding

A demonstration of log4j exploits, which defenses people tried, and which worked. A look at open source funding models, subscriptions, and bug bounty programs to see why it’s sometimes hard to donate.

Security Warning: Your Java Attack Surface Just Got Bigger

Learn about common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.

Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun

Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!

Treat Security as a Risk

Security is the poster child of a Non-Functional Requirement: most people don’t care until the proverbial matter hits the rotary propeller.

The State of Java in 2022

While more than 26 years old, Java is still one of the top three most popular programming languages.

You’re Running Untrusted Code!

I’m afraid the deprecation of the Security Manager just added several lines to that risk, all linked to running untrusted code.

Log4Shell Shows The Need for “Trustworthy Java”

I think the Java community handled this crisis poorly and needs to do much better next time. What do you think?

Java Logging: What To Log & What Not To Log?

Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.

In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.

Log4Shell / Leak4J

Over the last couple of days (and nights) I’ve been studying the new (extremely dangerous) vulnerability in log4j2 called Log4Shell.

Log4j2 Isn’t Killing Java

Java developers typically choose from several logging systems or facades. Many of these logging frameworks have grown to work together over the years.

Log4Shell: Critical Log4j RCE Vulnerabilty – Update to Version 2.15.0

On Dec.10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228 and categorized as Critical with a CVSS score of 10, which is the highest score possible. The vulnerability was discovered by Chen Zhaojun …

New Java 17 Features for Improved Security and Serialization

In December 2020, I wrote the article Serialization and deserialization in Java: explaining the Java deserialize vulnerability about the problems Java has with its custom serialization implementation. The serialization framework is so deeply embedded inside Java that knowing how dangerous some implementation …

How Social Trends Help Me Fix Essential Vulnerabilities

Our research team found a strong correlation between socially trending vulnerabilities and the existence of exploits that can actually harm your application.

PSA: The Risks of Remote JDWP Debugging

Java Debug Wire Protocol (a.k.a. JDWP) was designed for testing internally. Opening it to production is a HUGE security and stability risk…

Java: Where the Wild Code Isn’t

In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.

Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.

SolarWinds Hack And The Executive Order Of Cybersecurity: What Does This Mean For Us?

In the past two years, we have had to learn a lot about cybersecurity. New attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general.

But what does that mean for us? What can be done about it, and what reactions have the state already taken?