Security

Preventing YAML Parsing Vulnerabilities in Java

YAML is a human-readable language to serialize data that’s commonly used for config files. The word YAML is an acronym for “YAML ain’t a markup language” and was first released in 2001. You can compare YAML to JSON or XML as all of them are text-based structured formats.

YAML files are often used to configure applications, application servers, or clusters. It is a very common format in Spring Boot applications and, of course, to configure Kubernetes. However, similarly to JSON and XML, you can use YAML to serialize and deserialize data.

Fix Java Security Issues While Coding in IntelliJ IDEA

Nowadays, developers are responsible for more than just creating the application. Besides working on features, developers have to focus on their applications’ maintainability, scalability, reliability, and security. Many developers are unsure of where to start with security. In addition, most companies still work with a dedicated security team instead of having security expertise inside the team.

A lot of developers practically live in their integrated development environment (IDE). A good IDE is like a swiss army knife: it is your go-to tool to do almost everything. Having everything I need to build, run, test, debug, and secure my application, makes a good IDE invaluable for many developers.

Namespace Shadowing (a.k.a. “Dependency Confusion”) Attack

The npm Registry is vulnerable to supply chain namespace shadowing, also known as “Dependency Confusion” attacks.

Make sure you create npm scoped packages and force exclude patterns.

8 Best Practices to Prevent SQL Injection Attacks

SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database.

There are different types of SQL injection attacks, but in general, they all have a similar cause. The untrusted data that the user enters is concatenated with the query string. Therefore the user’s input can alter the query’s original intent.

Changing a Field’s Type in Recent JDKs

A couple of years ago, I attended a talk by my former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk.

From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I have already presented it twice since the beginning of the year at the time of this writing.

It allowed me to update the demo with version 16 of the JDK. In this blog post, I want to share some findings regarding the security changes regarding changing a field’s type across JDK versions.

Secure Code Review Best Practices (Part 2)

Reviewing someone’s code is hard, specifically when you also have to look at security issues.

Combining the 4 best practices from part 1 with the best practices in this part already gives you 8 pointers to improve your skills.

Secure Code Review Best Practices (Part 1)

Code reviews are hard to do well. Particularly when you’re not entirely sure about the errors you should be looking for!

Be sure when you’re reviewing code to understand that all code isn’t written equal! Think also about what lies behind the code that you’re reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isn’t easy to add into a checklist.

However, using the tips below, alongside your domain knowledge, will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.

Safe Writing to Files in IoT and Industrial Systems

Especially on IoT devices, file corruption on shutdown is a common concern.

This article discusses how to write to disk safely in Java, combining disk sync, shutdown hooks, and atomic renaming of files.

The SolarWinds Hack for Java Developers

The SolarWinds attack is unique in that the hackers did not exploit a vulnerability in an application, rather they broke into the company and attacked the development pipeline. The attackers’ implant worked in the build process,

injecting new code into SolarWinds Orion as it was built to enable command & control capabilities on target systems that ran the application.

For Java developers and architects who design, build, and run applications, there are two core take-aways.

OIDC Client with Mutual TLS Client Authentication

Learn how to set up an OpenID Connect (OIDC) client with Spring Security using mutual TLS as a method for authenticating the client.

Mutual TLS is not supported out-of-the-box by Spring Security, so there are a few steps that need to be completed to use this feature.

In order to make the example code a bit more tangible, we will be using the Curity Identity Server as the Authorization Server, but you can use any Authorization Server.

Getting Started with DevSecOps

Even as a software developer, you will often hear this phrase during meetings with the company’s management and sales part. The phrase is called “Make or Buy”. Typically, we have to decide if we want to do something ourselves or spend money to buy the requested functionality. It could be less or more functionality or different so that we have to adjust ourself to use it in our context.

But as a software developer, we have to deal with the same question every day. I am talking about dependencies. Should we write the source code by ourselves or just adding the next dependencies? Who will be responsible for removing bugs, and what is the total cost of this decision? But first, let’s take a look at the make-or-buy association inside the full tech-stack.