SlideShare ist ein Scribd-Unternehmen logo

Secure JEE Architecture and Programming 101

Mario-Leander Reimer
Mario-Leander Reimer

This session will show that writing secure code and constructing secure systems is not as hard as it may sound. First, we will briefly dissect some well-known security vulnerabilities which were the result of only minor programming errors and we will demonstrate how easy insecurely written Java code can be exploited. However, writing secure code from the start is just as easy. For this we will present a handful of basic rules and tools every secure Java developer must know. This session will discuss the secure usage of open source libraries and it will present basic security patterns to construct secure system architectures. By the end of this session you will have a higher security awareness and a set of simple tools for your daily work. The talk was delivered at the JavaOne 2015 in San Francisco. #JavaOne

Software
1 von 66
Downloaden Sie, um offline zu lesen
Secure JEE Architecture and Programming 101 Mario-Leander Reimer, Chief Technologist Wednesday, Oct 28 @ JavaOne 2015
2 Security seems to be the most underrated non functional requirement in software engineering.
class Security Model Security in early stages Security Analysis Secure ProgrammingSecure Architecture Security Target Security Requirement Security Threat Attacker Security Architecture Use Case Entity Safeguard Implementation Security components Gatekeeper Channels Insecurity 3 You are here!
4 So what‘s on the agenda? o T he anat omy of t w o p r omi nent secur i t y vul ner ab i l i ti es o Java as a secur e p r og r amming l ang uag e and p l at for m o Secur i t y Anal ysi s: at t ack i ng an i nsecur e JEE w eb ap p o Secur e Pr og r ammi ng A w a r eness: 221 r ul es for mor e secur e code o Secur e Ar chi t ect ur e: concep t s and b asi c JEE feat ur es
5 How the Heartbleed Bug Works http://xkcd.com/1354/
6 The Java exploit for Heartbleed only had 186 lines of code. The patch for Heartblead only added 8 lines of code. Bounds check for the correct record length
7 Apple‘s SSL bug: goto fail;
8 Apple‘s SSL bug: goto fail; Success!? Not really what you would expect. Always goto fail; Never called.
9 Probably all security vulnerabilities are caused by poor, negligent or just plain unsafe programming!
Java CPU and PSU Releases Explained. 10 oJava SE Critical Patch Updates (CPU) oOdd version numbers: 8u31, 8u05, 7u71, 7u65, 7u45, ... oFixes for known security vulnerabilities oFurther severe bug fixes oRecommendation: upgrade as soon as possible after it has been released oJava SE Patch Set Updates (PSU) oEven version numbers: 8u40, 8u20, 7u72, 7u60, ... oAll fixes of the CPU release oFurther non-critical fixes and enhancements oRecommendation: only upgrade if non-critical fix is required http://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html
Java has been designed with security in mind from the start. Java is a secure programming language and platform. 11 o The JVM and the Java language provide several features and APIs for secure programming oBytecode verification, memory management, sandbox model, security manager, ... oThe java.security package in JDK8 contains 15 interfaces, 54 classes, 3 enums, 16 exceptions oConfigurable, fine-grained access control ocryptographic operations such as message digest and signature generation oSupport for generation and storage of cryptographic public keys o The security features are constantly improved and developed, such as resource consumption management, object-level protection, arbitrary permission grouping, ... https://docs.oracle.com/javase/8/docs/technotes/guides/security/index.html
12 The evolution of the Java security model. It hasn‘t changed much since. JDK 1.0 Security Model (1996) JDK 1.1 Security Model (1997) Java 2 Security Model (1998) http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-specTOC.fm.html
The default Java security policy file is very restrictive. But … 13 $JAVA_HOME/ jre/lib/security/java.policy
14 … if you allow everything and don‘t pay attention, don‘t blame others. -Djava.security.manager -Djava.security.policy= ! ? ? ?? ! http://openbook.rheinwerk-verlag.de/java7/1507_22_002.html
15 No magic provided! It us up to us developers and architects to use and apply the Java security features.
16 How do I know my web application has security vulnerabilities?
17 OWASP Zed Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Attack!
18 Demo
19 One inconsiderate line of code can be the root of all evil … Usage of raw request parameter
20 How can we do better?
Only 3 sources and 221 rules for more secure and better code. 21 The CERT™ Oracle™ Secure Coding Standard for Java Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Rules available online at www.securecoding.cert.org Java Coding Guidelines Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Secure Coding Guidelines for Java SE Updated for Java SE 8, Version: 5.0, Last updated: 25 September 2014 http://www.oracle.com/technetwork/java/seccodeguide-139067.html
22
23
24
25 Secure Programming
MSC03-J. Never hard code sensitive information. 26 What‘s the problem? Sensitive information should never be hard coded. If the system is compromised, this information can be easily retrieved. Access to further resources may be possible. How can you exploit the code? Simply by disassembling the relevant code, using tools like javap, JAD, dirtyJOE. How can we do better? o Obtain information from a secure configuration file, system property or environment var. o Use infrastructure security features such as password aliases in Glassfish.
27 A very very very … bad example of a login component. Please don‘t do this!
28 javap -c InsecureLogin.class
29 javap -c MoreSecureLogin.class
30 Using password aliases is a much more secure option. And Java EE Security API 1.0 (JSR 375) is on it‘s way. asadmin> create-password-alias Enter the value for the aliasname operand> secpro_password_alias Enter the alias password> qwertz123 Enter the alias password again> qwertz123 Command create-password-alias executed successfully. -Dmaster.password=${ALIAS=secpro_password_alias} secure.password=tvtCEwfdmUAzXaKKlYQM6XYIjgQHzCZHZG/8SbdBQ+Vk9yH7PDK+x0aIgSZ2pvfWbC0avXyF 3Ow+tWleYlnideYwXpyJXrkhv+DRdQthEmM= secure.password.Production=r7mCJogt0VUI8s3UKJ1IHgCJ65pllW8q8uZ39+KjsvT910/iBppLt/8g NTGok/w1wscS7E24zLQKCOBbBZTU9A== PBKDF2WithHmacSHA1 This will replaced by the container automatically.
MLR01-J. Limit lifetime and visibility of sensitive information. 31 What‘s the problem? Application scoped security information also ends up in your heap memory. The garbage collection only frees unreachable objects. How can you exploit the code? By taking a heap dump and analysing it, using tools like jps + jmap, VisualVM, Eclipse MAT How can we do better? o Use security sensitive information only method locally (parameters, variables) o Clear or overwrite sensitive information after usage, e.g. Arrays.fill(chars, 0);
32 Taking heap dumps with JDK tools is simple. Use the command line or tools like Java VisualVM.
33 Heap Dump Analysis.
34 Clear sensitive information after usage. Limited lifetime of sensitive information: method parameters. Magic happens here! Sensitive information is replaced with junk data.
35 Heap Dump Analysis. select s from java.lang.String s where s.toString() == '???????'
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it. 36 What‘s the problem? Without additional protection a JAR can be modified by an attacker. Any package or package private visibility can be circumvented in open packages. How can you exploit the code? o Exchange of classes, direct manipulation of byte code or important configuration files. o Malicious inheritance with package and class definitions in foreign JAR files. How can we do better? Sign the relevant JARs to detect modification. Seal the JAR to prevent malicious inheritance.
37 USERNAME.equals(username) && Arrays.equals(PASSWORD, password) 00000000 : ldc "SomeUsername" 00000002 : aload_1 00000003 : invokevirtual boolean java.lang.String.equals(java.lang.Object) 00000006 : ifeq pos.00000017 00000009 : getstatic char[] de.qaware.campus.secpro.env01.CrackedLogin.PASSWORD 0000000C : aload_2 0000000D : invokestatic boolean java.util.Arrays.equals(char[], char[]) 00000010 : ifeq pos.00000017 00000013 : iconst_1 00000014 : goto pos.00000018 00000017 : iconst_0 00000018 : ireturn
38 !USERNAME.equals(username) && !Arrays.equals(PASSWORD, password) 00000000 : ldc "SomeUsername" 00000002 : aload_1 00000003 : invokevirtual boolean java.lang.String.equals(java.lang.Object) 00000006 : ifne pos.00000017 00000009 : getstatic char[] de.qaware.campus.secpro.env01.CrackedLogin.PASSWORD 0000000C : aload_2 0000000D : invokestatic boolean java.util.Arrays.equals(char[], char[]) 00000010 : ifne pos.00000017 00000013 : iconst_1 00000014 : goto pos.00000018 00000017 : iconst_0 00000018 : ireturn ifne 9A 00 11 ifeq 99 00 11
39 Example MANIFEST.MF for a signed and sealed JAR. A sealed JAR specifies that all packages defined by that JAR are sealed. Each file in the archive is given a digest entry in the archive's manifest. More info: http://docs.oracle.com/javase/tutorial/deployment/jar/intro.html
40 Example MANIFEST.MF for a signed and sealed JAR.
41 Verify the signer certificate of a given class against a known and secured keystore.
MLR02-J. Obfuscate all security-sensitive code. 42 What‘s the problem? Clean Code. Good programming style. Debugging symbols. Basically, everything that helps us developers is also helpful to the attacker. How can you exploit the code? Simply by disassembling the relevant code, using tools like javap, JAD, dirtyJOE. How can we do better? Obfuscate the security sensitive code with tools like ProGuard, yGuard, et.al.
43 Obfuscation leads to reduced readability, cryptic variable names, inlining of method calls, misleading branches.
44 Only up to 10% of the bytecode instructions in modern JEE applications are your code!!!
45 At least 90% of your application pose a potential security risk!
46 About 26% of the downloaded libraries on Maven Central contain known vulnerabilities! https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries
47 OWASP Top 10 2013 A9 should be in the Top 3.
Know your dependencies. The secure usage of open source components and frameworks is key to application security. 48 o But how do I secure my application against security issues in open source software? oOption a) Do not use open source software. Write everything yourself!  Not very realistic!. oOption b) Have clear guidelines and rules for the responsible usage of open source software. o Upgrading your dependencies to the latest versions is crucial. Urgent security fixes are usually only applied to the latest release. o Monitor security issues of used frameworks in public databases (CVE, NVD) and mailing lists. o Implement security decorators to disable or secure weak and unused framework functionality.
49 mvn versions:display-dependency-updates [INFO] The following dependencies in Dependencies have newer versions: [INFO] com.sun.faces:jsf-api ......................................... 2.1.10 -> 2.2.12 [INFO] com.sun.jersey:jersey-client ..................................... 1.9.1 -> 1.19 [INFO] commons-fileupload:commons-fileupload ........................... 1.2.1 -> 1.3.1 [INFO] org.apache.httpcomponents:httpclient ............................ 4.2.1 -> 4.5.1 [INFO] org.apache.solr:solr-core ....................................... 4.6.1 -> 5.3.1
50 mvn org.owasp:dependency-check-maven:check o 49 scanned dependencies o 6 vulnerable dependencies o 8 found vulnerabilities
51 mvn org.owasp:dependency-check-maven:check
52 mvn org.owasp:dependency-check-maven:check
53 Perform the OWASP dependency check in a dedicated security build in your CI environment.
The security architecture of a systems describes how the normal architecture is secured at different levels. 54 Technical Infrastructure Technical Architecture Secure Technical Infrastructure Secure Technical Architecture Security Requirements Security Targets Externe Quellen: OWASP Top 10, BSI, PSA, … Application Architecture Secure Application Architecture Security Architecture
The security architecture consists of security components and communication channels that may need to be secured. 55 Component A Component B Channel AB Trust boundary Potentially secured communication channel Component Interface (exported or imported) via a gate keeper o Each system consists of security components that are connected by channels o Different abstractions: data centers, hardware units, VMs, app servers, databases, software components, … o Each security component is owned by somebody. This somebody may be trust worthy or not. o Each security component has a defined security - from very secure to insecure: o How exhaustive and elaborate must the gate keeper be at the entries and exits? Fort Knox or access to everyone? o Each channel has a defined security – from very secure to insecure: o How robust is a channel and the used protocol against typical attacks?
Security components can form security communities, with hard boarder controls and loose inner security. 56 Component A Component B Component D Component C This will be a Java 9 module soon.
The internal design of secure components is influenced by security concerns. But the business logic should stay clean. 57 o Validation o Expected types and value ranges o Validate if input satisfies the expected patters o Canonicalization o Lossless reduction to the most simple representation. o Normalization o Lossy reduction to the most simple representation o Sanitization o Ensure data hygiene o Prevent information disclosure and leakage
58 Security is a cross cutting concern. Interceptors are a perfect match to implement security functionality. Interceptor + Binding annotations Sanitize parameters and continue Get annotation from method or it’s declaring class Activate in beans.xml
59 The interceptor binding annotation defines relevant types and their sanitization functions. The sanitization function Non-binding sanitization type value Interceptor binding annotation can be applied to methods and classes
60 Use CDI decorators for component specific security features. Activate in beans.xml Inject the delegate instance Do any additional security check that my be required
61 Apply Design by Contract (DbC) to your gate keeper and security components using the method validation API. The interface is the contract. It defines the pre and post conditions of methods using javax.validation annotations.
62 There is no 100% security.
63 It`s up to us developers to write secure applications!
64 Incorporate security into your daily development process.
65 Pay your employees well! Cater for a good work environment.
& Mario-Leander Reimer Chief Technologist, QAware GmbH mario-leander.reimer@qaware.de https://slideshare.net/MarioLeanderReimer/ https://speakerdeck.com/lreimer/ https://github.com/lreimer/secure-programming-101/ https://twitter.com/leanderreimer/

Empfohlen

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Silicon scanners cambridge report
Silicon scanners cambridge reportSilicon scanners cambridge report
Silicon scanners cambridge reportLiberteks
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 

Empfohlen

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Silicon scanners cambridge report
Silicon scanners cambridge reportSilicon scanners cambridge report
Silicon scanners cambridge reportLiberteks
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
Super1
Super1Super1
Super1neelakanteswarreddy
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...Pablo Orduña
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesArtem I. Baranov
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumConstantine Mars
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
JavaSecure
JavaSecureJavaSecure
JavaSecureSangbeomKim
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...Pablo Orduña
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesArtem I. Baranov
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumConstantine Mars
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 

Was ist angesagt? (20)

Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
Super1
Super1Super1
Super1
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
Identifying Security Issues in the Semantic Web: Injection attacks in the Sem...
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in Perl
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slides
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at Ciklum
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Software security
Software securitySoftware security
Software security
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 

Ähnlich wie Secure JEE Architecture and Programming 101

Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Applying Anti-Reversing Techniques to Java Bytecode
Applying Anti-Reversing Techniques to Java BytecodeApplying Anti-Reversing Techniques to Java Bytecode
Applying Anti-Reversing Techniques to Java BytecodeTeodoro Cipresso
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Java: A Secure Programming Language for Today's Market
Java: A Secure Programming Language for Today's MarketJava: A Secure Programming Language for Today's Market
Java: A Secure Programming Language for Today's MarketUncodemy
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGE
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGEA CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGE
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGENathan Mathis
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 

Ähnlich wie Secure JEE Architecture and Programming 101 (20)

JavaSecure
JavaSecureJavaSecure
JavaSecure
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java security
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
 
Applying Anti-Reversing Techniques to Java Bytecode
Applying Anti-Reversing Techniques to Java BytecodeApplying Anti-Reversing Techniques to Java Bytecode
Applying Anti-Reversing Techniques to Java Bytecode
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
OIVM
OIVMOIVM
OIVM
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
Java: A Secure Programming Language for Today's Market
Java: A Secure Programming Language for Today's MarketJava: A Secure Programming Language for Today's Market
Java: A Secure Programming Language for Today's Market
 
Features of java 02
Features of java 02Features of java 02
Features of java 02
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGE
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGEA CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGE
A CASE STUDY JAVA IS SECURE PROGRAMMING LANGUAGE
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
Jsse
JsseJsse
Jsse
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 

Mehr von Mario-Leander Reimer

Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.Mario-Leander Reimer
 
A Hitchhiker's Guide to Cloud Native Java EE
A Hitchhiker's Guide to Cloud Native Java EEA Hitchhiker's Guide to Cloud Native Java EE
A Hitchhiker's Guide to Cloud Native Java EEMario-Leander Reimer
 
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen Evolution
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen EvolutionSteinzeit war gestern! Die vielfältigen Wege der Cloud-nativen Evolution
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen EvolutionMario-Leander Reimer
 
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....Mario-Leander Reimer
 
Das kleine Einmaleins der sicheren Architektur @heise_devSec
Das kleine Einmaleins der sicheren Architektur @heise_devSecDas kleine Einmaleins der sicheren Architektur @heise_devSec
Das kleine Einmaleins der sicheren Architektur @heise_devSecMario-Leander Reimer
 
Polyglot Adventures for the Modern Java Developer #javaone2017
Polyglot Adventures for the Modern Java Developer #javaone2017Polyglot Adventures for the Modern Java Developer #javaone2017
Polyglot Adventures for the Modern Java Developer #javaone2017Mario-Leander Reimer
 
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2day
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2dayElegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2day
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2dayMario-Leander Reimer
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconMario-Leander Reimer
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLMario-Leander Reimer
 
Everything-as-code. A polyglot adventure. #DevoxxPL
Everything-as-code. A polyglot adventure. #DevoxxPLEverything-as-code. A polyglot adventure. #DevoxxPL
Everything-as-code. A polyglot adventure. #DevoxxPLMario-Leander Reimer
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17Mario-Leander Reimer
 
Per Anhalter durch den Cloud Native Stack. #SEACONHH
Per Anhalter durch den Cloud Native Stack. #SEACONHHPer Anhalter durch den Cloud Native Stack. #SEACONHH
Per Anhalter durch den Cloud Native Stack. #SEACONHHMario-Leander Reimer
 
Everything-as-code. Ein polyglottes Abenteuer. #jax2017
Everything-as-code. Ein polyglottes Abenteuer. #jax2017Everything-as-code. Ein polyglottes Abenteuer. #jax2017
Everything-as-code. Ein polyglottes Abenteuer. #jax2017Mario-Leander Reimer
 
Everything-as-code. Eine vielsprachige Reise. #javaland
Everything-as-code. Eine vielsprachige Reise. #javalandEverything-as-code. Eine vielsprachige Reise. #javaland
Everything-as-code. Eine vielsprachige Reise. #javalandMario-Leander Reimer
 
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017Mario-Leander Reimer
 
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017Mario-Leander Reimer
 
Der Cloud Native Stack in a Nutshell. #CloudExpoEurope
Der Cloud Native Stack in a Nutshell. #CloudExpoEuropeDer Cloud Native Stack in a Nutshell. #CloudExpoEurope
Der Cloud Native Stack in a Nutshell. #CloudExpoEuropeMario-Leander Reimer
 
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConf
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConfA Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConf
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConfMario-Leander Reimer
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101Mario-Leander Reimer
 
Automotive Information Research driven by Apache Solr
Automotive Information Research driven by Apache SolrAutomotive Information Research driven by Apache Solr
Automotive Information Research driven by Apache SolrMario-Leander Reimer
 

Mehr von Mario-Leander Reimer (20)

Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Vielfältige Wege der Cloud-nativen Evolution.
 
A Hitchhiker's Guide to Cloud Native Java EE
A Hitchhiker's Guide to Cloud Native Java EEA Hitchhiker's Guide to Cloud Native Java EE
A Hitchhiker's Guide to Cloud Native Java EE
 
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen Evolution
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen EvolutionSteinzeit war gestern! Die vielfältigen Wege der Cloud-nativen Evolution
Steinzeit war gestern! Die vielfältigen Wege der Cloud-nativen Evolution
 
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....
Everything-as-code: DevOps und Continuous Delivery aus Sicht des Entwicklers....
 
Das kleine Einmaleins der sicheren Architektur @heise_devSec
Das kleine Einmaleins der sicheren Architektur @heise_devSecDas kleine Einmaleins der sicheren Architektur @heise_devSec
Das kleine Einmaleins der sicheren Architektur @heise_devSec
 
Polyglot Adventures for the Modern Java Developer #javaone2017
Polyglot Adventures for the Modern Java Developer #javaone2017Polyglot Adventures for the Modern Java Developer #javaone2017
Polyglot Adventures for the Modern Java Developer #javaone2017
 
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2day
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2dayElegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2day
Elegantes In-Memory Computing mit Apache Ignite und Kubernetes. @data2day
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPLA Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
 
Everything-as-code. A polyglot adventure. #DevoxxPL
Everything-as-code. A polyglot adventure. #DevoxxPLEverything-as-code. A polyglot adventure. #DevoxxPL
Everything-as-code. A polyglot adventure. #DevoxxPL
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
 
Per Anhalter durch den Cloud Native Stack. #SEACONHH
Per Anhalter durch den Cloud Native Stack. #SEACONHHPer Anhalter durch den Cloud Native Stack. #SEACONHH
Per Anhalter durch den Cloud Native Stack. #SEACONHH
 
Everything-as-code. Ein polyglottes Abenteuer. #jax2017
Everything-as-code. Ein polyglottes Abenteuer. #jax2017Everything-as-code. Ein polyglottes Abenteuer. #jax2017
Everything-as-code. Ein polyglottes Abenteuer. #jax2017
 
Everything-as-code. Eine vielsprachige Reise. #javaland
Everything-as-code. Eine vielsprachige Reise. #javalandEverything-as-code. Eine vielsprachige Reise. #javaland
Everything-as-code. Eine vielsprachige Reise. #javaland
 
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017
Everything as-code. Polyglotte Entwicklung in der Praxis. #oop2017
 
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017
Per Anhalter durch den Cloud Native Stack (Extended Edition) #oop2017
 
Der Cloud Native Stack in a Nutshell. #CloudExpoEurope
Der Cloud Native Stack in a Nutshell. #CloudExpoEuropeDer Cloud Native Stack in a Nutshell. #CloudExpoEurope
Der Cloud Native Stack in a Nutshell. #CloudExpoEurope
 
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConf
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConfA Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConf
A Hitchhiker’s Guide to the Cloud Native Stack. #ContainerConf
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Automotive Information Research driven by Apache Solr
Automotive Information Research driven by Apache SolrAutomotive Information Research driven by Apache Solr
Automotive Information Research driven by Apache Solr
 

Kürzlich hochgeladen

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Kürzlich hochgeladen (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Secure JEE Architecture and Programming 101

  • 1. Secure JEE Architecture and Programming 101 Mario-Leander Reimer, Chief Technologist Wednesday, Oct 28 @ JavaOne 2015
  • 2. 2 Security seems to be the most underrated non functional requirement in software engineering.
  • 3. class Security Model Security in early stages Security Analysis Secure ProgrammingSecure Architecture Security Target Security Requirement Security Threat Attacker Security Architecture Use Case Entity Safeguard Implementation Security components Gatekeeper Channels Insecurity 3 You are here!
  • 4. 4 So what‘s on the agenda? o T he anat omy of t w o p r omi nent secur i t y vul ner ab i l i ti es o Java as a secur e p r og r amming l ang uag e and p l at for m o Secur i t y Anal ysi s: at t ack i ng an i nsecur e JEE w eb ap p o Secur e Pr og r ammi ng A w a r eness: 221 r ul es for mor e secur e code o Secur e Ar chi t ect ur e: concep t s and b asi c JEE feat ur es
  • 5. 5 How the Heartbleed Bug Works http://xkcd.com/1354/
  • 6. 6 The Java exploit for Heartbleed only had 186 lines of code. The patch for Heartblead only added 8 lines of code. Bounds check for the correct record length
  • 7. 7 Apple‘s SSL bug: goto fail;
  • 8. 8 Apple‘s SSL bug: goto fail; Success!? Not really what you would expect. Always goto fail; Never called.
  • 9. 9 Probably all security vulnerabilities are caused by poor, negligent or just plain unsafe programming!
  • 10. Java CPU and PSU Releases Explained. 10 oJava SE Critical Patch Updates (CPU) oOdd version numbers: 8u31, 8u05, 7u71, 7u65, 7u45, ... oFixes for known security vulnerabilities oFurther severe bug fixes oRecommendation: upgrade as soon as possible after it has been released oJava SE Patch Set Updates (PSU) oEven version numbers: 8u40, 8u20, 7u72, 7u60, ... oAll fixes of the CPU release oFurther non-critical fixes and enhancements oRecommendation: only upgrade if non-critical fix is required http://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html
  • 11. Java has been designed with security in mind from the start. Java is a secure programming language and platform. 11 o The JVM and the Java language provide several features and APIs for secure programming oBytecode verification, memory management, sandbox model, security manager, ... oThe java.security package in JDK8 contains 15 interfaces, 54 classes, 3 enums, 16 exceptions oConfigurable, fine-grained access control ocryptographic operations such as message digest and signature generation oSupport for generation and storage of cryptographic public keys o The security features are constantly improved and developed, such as resource consumption management, object-level protection, arbitrary permission grouping, ... https://docs.oracle.com/javase/8/docs/technotes/guides/security/index.html
  • 12. 12 The evolution of the Java security model. It hasn‘t changed much since. JDK 1.0 Security Model (1996) JDK 1.1 Security Model (1997) Java 2 Security Model (1998) http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-specTOC.fm.html
  • 13. The default Java security policy file is very restrictive. But … 13 $JAVA_HOME/ jre/lib/security/java.policy
  • 14. 14 … if you allow everything and don‘t pay attention, don‘t blame others. -Djava.security.manager -Djava.security.policy= ! ? ? ?? ! http://openbook.rheinwerk-verlag.de/java7/1507_22_002.html
  • 15. 15 No magic provided! It us up to us developers and architects to use and apply the Java security features.
  • 16. 16 How do I know my web application has security vulnerabilities?
  • 17. 17 OWASP Zed Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Attack!
  • 19. 19 One inconsiderate line of code can be the root of all evil … Usage of raw request parameter
  • 20. 20 How can we do better?
  • 21. Only 3 sources and 221 rules for more secure and better code. 21 The CERT™ Oracle™ Secure Coding Standard for Java Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Rules available online at www.securecoding.cert.org Java Coding Guidelines Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Secure Coding Guidelines for Java SE Updated for Java SE 8, Version: 5.0, Last updated: 25 September 2014 http://www.oracle.com/technetwork/java/seccodeguide-139067.html
  • 22. 22
  • 23. 23
  • 24. 24
  • 26. MSC03-J. Never hard code sensitive information. 26 What‘s the problem? Sensitive information should never be hard coded. If the system is compromised, this information can be easily retrieved. Access to further resources may be possible. How can you exploit the code? Simply by disassembling the relevant code, using tools like javap, JAD, dirtyJOE. How can we do better? o Obtain information from a secure configuration file, system property or environment var. o Use infrastructure security features such as password aliases in Glassfish.
  • 27. 27 A very very very … bad example of a login component. Please don‘t do this!
  • 30. 30 Using password aliases is a much more secure option. And Java EE Security API 1.0 (JSR 375) is on it‘s way. asadmin> create-password-alias Enter the value for the aliasname operand> secpro_password_alias Enter the alias password> qwertz123 Enter the alias password again> qwertz123 Command create-password-alias executed successfully. -Dmaster.password=${ALIAS=secpro_password_alias} secure.password=tvtCEwfdmUAzXaKKlYQM6XYIjgQHzCZHZG/8SbdBQ+Vk9yH7PDK+x0aIgSZ2pvfWbC0avXyF 3Ow+tWleYlnideYwXpyJXrkhv+DRdQthEmM= secure.password.Production=r7mCJogt0VUI8s3UKJ1IHgCJ65pllW8q8uZ39+KjsvT910/iBppLt/8g NTGok/w1wscS7E24zLQKCOBbBZTU9A== PBKDF2WithHmacSHA1 This will replaced by the container automatically.
  • 31. MLR01-J. Limit lifetime and visibility of sensitive information. 31 What‘s the problem? Application scoped security information also ends up in your heap memory. The garbage collection only frees unreachable objects. How can you exploit the code? By taking a heap dump and analysing it, using tools like jps + jmap, VisualVM, Eclipse MAT How can we do better? o Use security sensitive information only method locally (parameters, variables) o Clear or overwrite sensitive information after usage, e.g. Arrays.fill(chars, 0);
  • 32. 32 Taking heap dumps with JDK tools is simple. Use the command line or tools like Java VisualVM.
  • 34. 34 Clear sensitive information after usage. Limited lifetime of sensitive information: method parameters. Magic happens here! Sensitive information is replaced with junk data.
  • 35. 35 Heap Dump Analysis. select s from java.lang.String s where s.toString() == '???????'
  • 36. ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it. 36 What‘s the problem? Without additional protection a JAR can be modified by an attacker. Any package or package private visibility can be circumvented in open packages. How can you exploit the code? o Exchange of classes, direct manipulation of byte code or important configuration files. o Malicious inheritance with package and class definitions in foreign JAR files. How can we do better? Sign the relevant JARs to detect modification. Seal the JAR to prevent malicious inheritance.
  • 37. 37 USERNAME.equals(username) && Arrays.equals(PASSWORD, password) 00000000 : ldc "SomeUsername" 00000002 : aload_1 00000003 : invokevirtual boolean java.lang.String.equals(java.lang.Object) 00000006 : ifeq pos.00000017 00000009 : getstatic char[] de.qaware.campus.secpro.env01.CrackedLogin.PASSWORD 0000000C : aload_2 0000000D : invokestatic boolean java.util.Arrays.equals(char[], char[]) 00000010 : ifeq pos.00000017 00000013 : iconst_1 00000014 : goto pos.00000018 00000017 : iconst_0 00000018 : ireturn
  • 38. 38 !USERNAME.equals(username) && !Arrays.equals(PASSWORD, password) 00000000 : ldc "SomeUsername" 00000002 : aload_1 00000003 : invokevirtual boolean java.lang.String.equals(java.lang.Object) 00000006 : ifne pos.00000017 00000009 : getstatic char[] de.qaware.campus.secpro.env01.CrackedLogin.PASSWORD 0000000C : aload_2 0000000D : invokestatic boolean java.util.Arrays.equals(char[], char[]) 00000010 : ifne pos.00000017 00000013 : iconst_1 00000014 : goto pos.00000018 00000017 : iconst_0 00000018 : ireturn ifne 9A 00 11 ifeq 99 00 11
  • 39. 39 Example MANIFEST.MF for a signed and sealed JAR. A sealed JAR specifies that all packages defined by that JAR are sealed. Each file in the archive is given a digest entry in the archive's manifest. More info: http://docs.oracle.com/javase/tutorial/deployment/jar/intro.html
  • 40. 40 Example MANIFEST.MF for a signed and sealed JAR.
  • 41. 41 Verify the signer certificate of a given class against a known and secured keystore.
  • 42. MLR02-J. Obfuscate all security-sensitive code. 42 What‘s the problem? Clean Code. Good programming style. Debugging symbols. Basically, everything that helps us developers is also helpful to the attacker. How can you exploit the code? Simply by disassembling the relevant code, using tools like javap, JAD, dirtyJOE. How can we do better? Obfuscate the security sensitive code with tools like ProGuard, yGuard, et.al.
  • 43. 43 Obfuscation leads to reduced readability, cryptic variable names, inlining of method calls, misleading branches.
  • 44. 44 Only up to 10% of the bytecode instructions in modern JEE applications are your code!!!
  • 45. 45 At least 90% of your application pose a potential security risk!
  • 46. 46 About 26% of the downloaded libraries on Maven Central contain known vulnerabilities! https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries
  • 47. 47 OWASP Top 10 2013 A9 should be in the Top 3.
  • 48. Know your dependencies. The secure usage of open source components and frameworks is key to application security. 48 o But how do I secure my application against security issues in open source software? oOption a) Do not use open source software. Write everything yourself!  Not very realistic!. oOption b) Have clear guidelines and rules for the responsible usage of open source software. o Upgrading your dependencies to the latest versions is crucial. Urgent security fixes are usually only applied to the latest release. o Monitor security issues of used frameworks in public databases (CVE, NVD) and mailing lists. o Implement security decorators to disable or secure weak and unused framework functionality.
  • 49. 49 mvn versions:display-dependency-updates [INFO] The following dependencies in Dependencies have newer versions: [INFO] com.sun.faces:jsf-api ......................................... 2.1.10 -> 2.2.12 [INFO] com.sun.jersey:jersey-client ..................................... 1.9.1 -> 1.19 [INFO] commons-fileupload:commons-fileupload ........................... 1.2.1 -> 1.3.1 [INFO] org.apache.httpcomponents:httpclient ............................ 4.2.1 -> 4.5.1 [INFO] org.apache.solr:solr-core ....................................... 4.6.1 -> 5.3.1
  • 50. 50 mvn org.owasp:dependency-check-maven:check o 49 scanned dependencies o 6 vulnerable dependencies o 8 found vulnerabilities
  • 53. 53 Perform the OWASP dependency check in a dedicated security build in your CI environment.
  • 54. The security architecture of a systems describes how the normal architecture is secured at different levels. 54 Technical Infrastructure Technical Architecture Secure Technical Infrastructure Secure Technical Architecture Security Requirements Security Targets Externe Quellen: OWASP Top 10, BSI, PSA, … Application Architecture Secure Application Architecture Security Architecture
  • 55. The security architecture consists of security components and communication channels that may need to be secured. 55 Component A Component B Channel AB Trust boundary Potentially secured communication channel Component Interface (exported or imported) via a gate keeper o Each system consists of security components that are connected by channels o Different abstractions: data centers, hardware units, VMs, app servers, databases, software components, … o Each security component is owned by somebody. This somebody may be trust worthy or not. o Each security component has a defined security - from very secure to insecure: o How exhaustive and elaborate must the gate keeper be at the entries and exits? Fort Knox or access to everyone? o Each channel has a defined security – from very secure to insecure: o How robust is a channel and the used protocol against typical attacks?
  • 56. Security components can form security communities, with hard boarder controls and loose inner security. 56 Component A Component B Component D Component C This will be a Java 9 module soon.
  • 57. The internal design of secure components is influenced by security concerns. But the business logic should stay clean. 57 o Validation o Expected types and value ranges o Validate if input satisfies the expected patters o Canonicalization o Lossless reduction to the most simple representation. o Normalization o Lossy reduction to the most simple representation o Sanitization o Ensure data hygiene o Prevent information disclosure and leakage
  • 58. 58 Security is a cross cutting concern. Interceptors are a perfect match to implement security functionality. Interceptor + Binding annotations Sanitize parameters and continue Get annotation from method or it’s declaring class Activate in beans.xml
  • 59. 59 The interceptor binding annotation defines relevant types and their sanitization functions. The sanitization function Non-binding sanitization type value Interceptor binding annotation can be applied to methods and classes
  • 60. 60 Use CDI decorators for component specific security features. Activate in beans.xml Inject the delegate instance Do any additional security check that my be required
  • 61. 61 Apply Design by Contract (DbC) to your gate keeper and security components using the method validation API. The interface is the contract. It defines the pre and post conditions of methods using javax.validation annotations.
  • 62. 62 There is no 100% security.
  • 63. 63 It`s up to us developers to write secure applications!
  • 64. 64 Incorporate security into your daily development process.
  • 65. 65 Pay your employees well! Cater for a good work environment.
  • 66. & Mario-Leander Reimer Chief Technologist, QAware GmbH mario-leander.reimer@qaware.de https://slideshare.net/MarioLeanderReimer/ https://speakerdeck.com/lreimer/ https://github.com/lreimer/secure-programming-101/ https://twitter.com/leanderreimer/