Foojay Podcast #7: Security in Java, what do we need to know and how to keep our applications secure?

November 21, 2022
6432 Unique Views
2 min read

Table of Contents

For this Foojay Podcast, we invited security experts to dive into the fascinating world of secure coding and detecting vulnerabilities in your Java applications.

How can you make and keep your systems safe?

That's what we want to find out...

Podcast Apps

You can listen and subscribe to the Foojay Podcast on:

Spotify
Apple Podcasts
And most others...

Guests

Steve Poole (Sonatype, @spool167)
Brian Vermeer (Snyk, @BrianVerm, @[email protected])
Anastasiia Voitova (Cossack Labs, @vixentael, @[email protected])

Host

Erik Costlow (Azul, @costlow, @[email protected])

Content

00'00 Short intro and music
00'15 Introduction about the topic of this podcast
00'31 Introduction of the guests and host
02'40 Foojay article written by Brain about dependencies
- https://foojay.io/today/best-practices-for-managing-java-dependencies/
05'02 XML parsers in Java
05'55 "The more the merrier" versus "The less the better"
06'30 Foojay article written by Brain about the role of Data Transfer Objects in security
- https://foojay.io/today/how-to-use-java-dtos-to-stay-secure/
09'10 Extending on DTOs: encryption in data provisioning
11'10 Database entities versus DTOs and serialization
12'25 Developers need to be trained more on security and take responsibility
13'50 Don't design your own security solution
- https://www.cossacklabs.com/blog/cryptographic-failures-in-rf-encryption/
16'58 Cryptograpic dad joke... 😉
17'40 What are CVEs (Common Vulnerabilities and Exposures)
20'40 Security in the layers of a Java environment
- https://imagetragick.com/
24'50 JAR signing
26'40 CWE with the W of Weaknesses and OWASP
- https://owasp.org/www-project-top-ten/
- https://www.exploit-db.com/
29'40 How to evaluate vulnerability scores
- https://foojay.io/today/java-security-log4j-the-securitymanager-and-funding/
31'23 CVEs as Pokemon, "You gotta catch them all" workshop
32'20 How to be able to fix vulnerabilities
33'57 About the recent critical SSL vulnerability
36'02 Libraries are linked (integrated) into a Java project
- https://github.com/quarkusio/quarkus/issues/14904
38'15 Security is an educational thing and understand your tools
39'90 Role of the different players in a team
46'32 Can the JVM itself be more secure
49'44 Make the JVM aware of vulnerable code
51'10 Security insights in IoT devices
- https://www.cossacklabs.com/case-studies/iiot-security-a-hive-and-a-queen/
1h01'30 Developers should learn about defending depth
1h02'10 Conclusion

Don’t Forget to Share This Post!

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Erik Costlow

Author

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.

Frank Delporte

Author

Frank Delporte is a Java Champion, Java Developer, Technical Writer at Azul, Blogger, Author of "Getting started with Java on Raspberry Pi", and Pi4J Contributor. Frank blogs about his experiments with Java and JavaFX, sometimes combined with electronic components, on the Raspberry Pi.

Foojay Podcast 83: OpenJDK Evolutions plus Tips and Tricks

Preparing for Spring Framework 7 and Spring Boot 4

Service Layer Pattern in Java With Spring Boot

Micrometer & Prometheus in Spring Boot: Kafka Burger Orders🍔📨

Spring Framework 7.0 and Spring Data 2025.1.0 Embrace Jakarta EE 11 Compatibility

Navigating the Nuances of GraphRAG vs. RAG

The Cost of Not Knowing MongoDB – Part 1: appV0 to appV4

Understanding MCP Through Raw STDIO Communication

Java 24 Rolls Out Today! Find Out Why It’s Aptly Named

Rate limiting with Redis: An essential guide

JC-AI Newsletter: Easy Access to Expanding Challenges

JC-AI Newsletter #9

JC-AI Newsletter #8

Preparing for Spring Framework 7 and Spring Boot 4

Understanding MCP Through Raw STDIO Communication

Explore Spring Framework 7 Features—API Versioning

Your New AI-Powered Coding Buddy: A Guide to SonarQube MCP Server on IntelliJ 🤖

Elastic JVM: Configuring G1 GC for Automatic Vertical Memory Scaling

Foojay Podcast #81: Maven 4 – The Future of Java Build Automation

Rate limiting with Redis: An essential guide

Indexing all of Wikipedia, on a laptop

Working with Multiple Carets in IntelliJ IDEA

Clean Shutdown of Spring Boot Applications

Java 17 on the Raspberry Pi

Project Panama for Newbies (Part 1)

How to Create Mobile Apps with JavaFX (Part 1)

Beginning JavaFX Applications with IntelliJ IDE

Foojay Slack: bit.ly/join-foojay-slack

SpringBoot 3.2 + CRaC

Creating Scalable OpenAI GPT Applications in Java

Apache Kafka Performance on Azul Platform Prime vs Vanilla OpenJDK

Learn about a number of experiments that have been conducted with Apache Kafka performance on Azul Platform Prime, compared to vanilla OpenJDK. Roughly 40% improvements in performance, both throughput and latency, are achieved.

Stable, Secure, and Affordable Java

Azul Platform Core is the #1 Oracle Java alternative, offering OpenJDK support for more versions (including Java 6 & 7) and more configurations for the greatest business value and lowest TCO.

Foojay Podcast #6: Welcome to Foojay!

Let’s look back and what has happened on Foojay during the last 2,5 years and talk to some of the people behind the project.

Oct 24 6,4K

A N M Bazlur Rahman

Frank Delporte

Geertjan Wielenga

Roy Wasse

Podcast

Foojay

Foojay Podcast #5: OpenJDK 19 Discussion Panel

It’s September 20th, OpenJDK 19 has been released. In this podcast, we discuss the new features and the changes that this release brings.

Sep 20 8,2K

Deepu K Sasidharan

Erik Costlow

Frank Delporte

Miro Wengner

Podcast

Sealed Classes Records Project Panama Java Core

Foojay Podcast #4: Why So Many JDKs?

In this podcast, we explore the topic of why there are so many JDKs, how are they the same, and how they are different!

Oct 19 4,6K

Erik Costlow

Simon Ritter

Podcast

Foojay Podcast #3: Journey to Jakarta EE

Foojay community members discuss the modernization of Jakarta EE applications from the older Java EE form, including backwards-compatibility, as well as forwards-excitement about cool new developments like Microprofile.

Aug 31 4,9K

Erik Costlow

Ivar Grimstad

Josh Juneau

Rudy De Busscher

Jakarta EE

Podcast

Foojay Podcast #2: Embedded Java

Foojay community members and beyond discuss embedded Java, featuring the following speakers:

James Gosling, creator of Java and embedded enthusiast; Frank Delporte, engineer with Toadi, an autonomous lawn-mowing robot; Johan Vos, founder of Gluon, helping make fully cross-platform applications.

Hosted by Erik Costlow, developer relations for Contrast Security, locating security flaws in backend systems.

Jul 22 4,8K

Erik Costlow

Frank Delporte

Johan Vos

Podcast

Pi4J Foojay

Stable, Secure, and Affordable Java

Step up your coding with the Continuous Feedback Udemy Course: Additional coupons are available

Jakarta EE 11: Beyond the Era of Java EE

Foojay Podcast #7: Security in Java, what do we need to know and how to keep our applications secure?

Podcast Apps

Guests

Host