Foojay Podcast #58: How Java Developers Can Secure Their Code

September 30, 2024

Unique Views: 3,346

sinceSeptember, 2024

Author(s)

Brian Vermeer
Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an ... Learn more
Erik Costlow
Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. ... Learn more
Frank Delporte
Frank Delporte (@frankdelporte) is a Java Champion, Java Developer, Technical Writer at Azul, Blogger, Author of "Getting started with Java on Raspberry Pi", and Pi4J Contributor. Frank blogs about his ... Learn more
Jonathan Vila
Jonathan is a developer advocate at Sonar. He is a Java Champion and co-founder of the conferences in Spain JBCNConf and DevBcn and organizer of the Barcelona JUG. He has ... Learn more

Three years after Log4Shell caused a significant security issue, we still struggle with insecure dependencies and injection problems.

In this podcast, we'll discuss how developers can secure their code.

I talked with three authors who posted a security and code quality post on Foojay.io.

Video

Podcast (audio only)

Guests

Jonathan Vila

Brian Vermeer

Erik Costlow

Content

00:00 Introduction of topic and guests

01:35 Brian: Why is Log4Shell still around?
https://foojay.io/today/the-persistent-threat-why-major-vulnerabilities-like-log4shell-and-spring4shell-remain-significant/
03:24 Outdated dependencies are still used a lot
04:31 Who is responsible for dependency updates?
07:55 Snyk tools to help discover issues
10:15 Comparing to Dependabot
11:21 How to keep dependencies up-to-date
14:32 Responsibility to use dependencies with care
17:17 Looking forward to the JFall conference
18:48 About Foojay

19:49 Jonathan: Is SQL injection still a problem?
https://foojay.io/today/top-security-flaws-hiding-in-your-code-right-now-and-how-to-fix-them/
24:50 Deserialization injection
27:30 Logging injection
31:22 Even experienced developers make mistakes
33:17 About Sonar tools
35:53 Other articles by Jonathan
https://foojay.io/today/author/jonathan-vila/
https://foojay.io/today/ensuring-the-right-usage-of-java-21-new-features/
38:20 Other security tools
https://www.youtube.com/watch?v=-wVCYj8oQUY

39:47 Erik: Trash Pandas are attracted by unused code
https://foojay.io/today/trash-pandas-love-enterprise-java-garbage-code/
43:01 How bad are insecure but unused libraries?
45:16 Problem of code only used by unit tests
47:15 Testing in different layers (develop, test, production)
49:31 How much code is not used in production?
50:31 How code becomes unused
https://foojay.io/today/foojay-podcast-57/

54:29 Conclusions

Don’t Forget to Share This Post!

Author Brian Vermeer

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Author Erik Costlow

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a…

Author Frank Delporte

Frank Delporte (@frankdelporte) is a Java Champion, Java Developer, Technical Writer at Azul, Blogger, Author of "Getting started with Java on Raspberry Pi", and Pi4J Contributor. Frank blogs about his experiments with Java, sometimes combined with electronic components, on the Raspberry Pi.

Author Jonathan Vila

Jonathan is a developer advocate at Sonar. He is a Java Champion and co-founder of the conferences in Spain JBCNConf and DevBcn and organizer of the Barcelona JUG. He has also been a speaker at several conferences including DevNexus, Oracle CodeOne, DevoxxUK, JNation, DevConf.IN, DevConf.US, and JFokus.

Author(s)

Brian Vermeer
Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an ... Learn more
Erik Costlow
Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. ... Learn more
Frank Delporte
Frank Delporte (@frankdelporte) is a Java Champion, Java Developer, Technical Writer at Azul, Blogger, Author of "Getting started with Java on Raspberry Pi", and Pi4J Contributor. Frank blogs about his ... Learn more
Jonathan Vila
Jonathan is a developer advocate at Sonar. He is a Java Champion and co-founder of the conferences in Spain JBCNConf and DevBcn and organizer of the Barcelona JUG. He has ... Learn more

Comments (0)

Cancel reply

Your email address will not be published. Required fields are marked *

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Save my name, email, and website in this browser for the next time I comment.

Foojay Podcast #58: How Java Developers Can Secure Their Code

Author(s)

Video

Podcast (audio only)

Guests

Jonathan Vila

Brian Vermeer

Erik Costlow

Content

Related Articles

Author(s)

Comments (0)

Cancel reply

Set Event Reminder

Subscribe to foojay updates: