Security

Safe Writing to Files in IoT and Industrial Systems

Especially on IoT devices, file corruption on shutdown is a common concern.

This article discusses how to write to disk safely in Java, combining disk sync, shutdown hooks, and atomic renaming of files.

The SolarWinds Hack for Java Developers

The SolarWinds attack is unique in that the hackers did not exploit a vulnerability in an application, rather they broke into the company and attacked the development pipeline. The attackers’ implant worked in the build process,

injecting new code into SolarWinds Orion as it was built to enable command & control capabilities on target systems that ran the application.

For Java developers and architects who design, build, and run applications, there are two core take-aways.

OIDC Client with Mutual TLS Client Authentication

Learn how to set up an OpenID Connect (OIDC) client with Spring Security using mutual TLS as a method for authenticating the client.

Mutual TLS is not supported out-of-the-box by Spring Security, so there are a few steps that need to be completed to use this feature.

In order to make the example code a bit more tangible, we will be using the Curity Identity Server as the Authorization Server, but you can use any Authorization Server.

Getting Started with DevSecOps

Even as a software developer, you will often hear this phrase during meetings with the company’s management and sales part. The phrase is called “Make or Buy”. Typically, we have to decide if we want to do something ourselves or spend money to buy the requested functionality. It could be less or more functionality or different so that we have to adjust ourself to use it in our context.

But as a software developer, we have to deal with the same question every day. I am talking about dependencies. Should we write the source code by ourselves or just adding the next dependencies? Who will be responsible for removing bugs, and what is the total cost of this decision? But first, let’s take a look at the make-or-buy association inside the full tech-stack.

Explaining Java Deserialization Vulnerabilities (Part 2)

Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

Earlier, in part 1, the basics of Java serialization and deserialization were explained and how to tamper with data in serialized objects. In this part, we continue with even more harmful attacks and show you how you can prevent this in your own code.

A Compendium of 2021 Java & OpenJDK Predictions

Now that 2021 is well underway, many prominent Java developers have taken the time to predict what 2021 may bring to the Java universe.

In this post, I arrange these predictions and observations by topic, in essence creating a series of brief panel discussions about each topic area: a sort of mini-Java conference in the form of an article!

Explaining Java Deserialization Vulnerabilities (Part 1)

Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream.

Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues and other problems it has produced over the years.

Hacking Java XML Input via External Entity Injection

Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

In the video, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed.

I also show you how you can solve this in your Java code in multiple ways.

Java Syntax Puzzlers

Working on language-specific tooling exposes you to all kinds of edge cases and delicate details and language has to offer. Some of them are well known and generally seen as “unprofessional” (hello goto). Others are actually not known at all. And with all due respect, I quite enjoy discovering the edge cases of the language syntax – a lot of times to confuse my co-workers who think they know the Java Language Syntax.

And given I love a good puzzle (especially the Java Puzzles), let’s try a puzzle but using the Java syntax only, without any runtime behavior.

5 Tips to Create Secure Docker Images for Java Applications

Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images. This is very convenient as you can use these images from Docker Hub to quickly build an image for your Java application.

However, the naive way of creating custom Docker images for your Java applications comes with many security concerns. So, how do we make security an essential part of Docker images for Java?

Minimizing Security Risks in Java Application Development

United by their passion for open source, Payara and IBM recently teamed up for a panel discussion on security in Java application development.

Security is something that is considered extremely important, however, it is not always something that is a priority for many development teams. The main question is—how to minimize security risks while developing Java applications.

In this panel discussion, our experts addressed a variety of topics related to secure application development. Most of the topics were introduced by questions from the audience.