Security
-
How to do password hashing in Java applications the right way!
There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …
-
Quick Fire Java: Java After Log4j
Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.
-
Security Warning: Your Java Attack Surface Just Got Bigger
Learn about common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.
-
Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun
Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!
-
You’re Running Untrusted Code!
I’m afraid the deprecation of the Security Manager just added several lines to that risk, all linked to running untrusted code.
-
PSA: The Risks of Remote JDWP Debugging
Java Debug Wire Protocol (a.k.a. JDWP) was designed for testing internally. Opening it to production is a HUGE security and stability risk…
-
CVSS 101: First Steps with Common Vulnerability Scoring System
What is the Common Vulnerability Scoring System (CVSS), who is behind it, what are we doing with it, and what does a CVSS Value mean for you?
With CVSS, we have a value system for evaluating security gaps in software. Since there are no alternatives, the system has been in use worldwide for over ten years and is constantly being developed, it is a defacto standard.
The evaluation consists of three components.
-
The Lifecycle of a Security Vulnerability
Again and again, we read in the IT news about new security gaps that have been identified.
Most of the time, you don’t even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example.
But what is the typical lifecycle of such a security gap?
-
Namespace Shadowing (a.k.a. “Dependency Confusion”) Attack
The npm Registry is vulnerable to supply chain namespace shadowing, also known as “Dependency Confusion” attacks.
Make sure you create npm scoped packages and force exclude patterns.
-
Changing a Field’s Type in Recent JDKs
A couple of years ago, I attended a talk by my former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk.
From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I have already presented it twice since the beginning of the year at the time of this writing.
It allowed me to update the demo with version 16 of the JDK. In this blog post, I want to share some findings regarding the security changes regarding changing a field’s type across JDK versions.
-
Securing Microservices with Auth0 and MicroProfile in Kubernetes
In this day and age, securing enterprise platforms is a challenge that developers and consultants tackle in an uninformed manner, producing subpar solutions in most cases.
This presentation by Ondrej Mihalyi at DevOpsCon showcases the strength of combining MicroProfile and an OAuth service by doing a live demonstration of securing enterprise Java microservices in Kubernetes.