SlideShare ist ein Scribd-Unternehmen logo

Milton smith 2013

J
jowen_evansdata

Milton Smith, a senior principal security PM at Oracle, gave a presentation on securing Java. He discussed the challenges of securing Java given its widespread use. He outlined Oracle's security policies around communications, the development lifecycle, and ongoing remediation efforts. He also discussed mitigating security impacts and restoring confidence in communities. He ended with a call to action around vulnerability reporting and security feature suggestions.

1 von 47
Downloaden Sie, um offline zu lesen
1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Keeping the Future Secure with Java Milton Smith Email: milton.smith@oracle.com Sr. Principal Security PM Blog: http://spoofzu.blogspot.com/ Twitter: @spoofzu 2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Notice "THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE." 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Who Am I? Milton Smith §  Responsible for Java platform security: vision/features, internal/ external communications – everything Java except EE. §  20+ years of programming and specializing in security. §  Former employer was Yahoo! where I managed security for the User Data Analytics property. 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Program Agenda §  Security Industry Challenges §  Risk Choices & Methodologies §  Security at Oracle §  Ongoing Security Improvements §  Security in Development Communities §  Call to Action 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Industry & Challenges 6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Java Ecosystem Level of Security Challenge… Facts Desktops §  Java deployed on 97 Percent desktops §  Java deployed on 80 percent of mobile platforms Devices §  Java deployed on 125 million television sets §  1 billion Java downloads per year Community §  9 million developers worldwide Ref: http://www.oracle.com/us/corporate/press/1843546 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Threat Landscape A lot has changed since 1995 when Java started… That was Then… This is Now… •  State or Terrorist Cyber •  Data Destruction Warfare •  Denial of Service •  Intellectual Property Theft •  Hacktivism Individual pranksters Well funded and organized 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Why is Java a Favored Target for Attack? §  Java is deployed widely across homes and business computers. §  Multi-platform features of Java allow attackers to indiscriminately target Windows, Mac, and even Linux versions. §  Unlike data centers, physical and logical security controls for the home systems are less sophisticated. 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
What Uses of Java are Highest Risk? Highest Risk… §  Java Applets and Web Start plugins running in the browser. Why… §  Java users have valuable information (e.g., credit cards, licensee keys, etc) §  Java desktops security controls are either missing or poorly configured 10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Strong Security is the Expectation… Challenges across entire industry… §  Security concerns across industry are elevated §  Strong vs. poor security is difficult for users to evaluate 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Risk Choices & Methodologies 12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Risk vs. Reward WE MAKE CHOICES BASED UPON RISK EVERY DAY THIS IS HOW HUMANS FUNCTION 13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Everyday Risk Choices Do animals drink at the water hole? Animals with big teeth may be present. –  Answer = Depends, how thirsty. 14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Everyday Risk Choices Everyone treated by a doctor – has or will die. Success rate is precisely zero. Do we continue to visit doctors? –  Answer = Yes! 15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Everyday Risk Choices Life is risky. Do we visit the doctor every day for a check-up? –  Answer = No! 16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Risk Based Security Methodology §  Many of us today use informal risk based approaches. §  Some don’t take the next steps – formalize thoughts about risk and how it governs our behavior. §  Risk methodology helps drive security decisions 17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Risk Applied to a Web Application Example §  A few simple considerations… –  How important is the application to the business? Dollar loss, compliance requirements, inconvenience? –  Internet facing application interfaces (web, web data services)? –  Any unauthenticated application interfaces (no logon)? –  and many more factors… §  Platforms have different concerns but the approach is similar 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security at Oracle 19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Why is Security Important to Oracle? Java is at the center of our applications Your Apps Java Platform ORA Vendor Apps Apps 20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Overview – Larger Security Policy Areas § SA/CPU RSS § Architecture Review Feeds § Peer Review § Security Blog § Security Testing Communications Development § eBlasts § Post Mortems Lifecycle § Java.com Security Security § CPU Remediation § Security Alerts 21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Policies - Communications §  Security news & alerts are communicated via several channels –  Security Alerts (RSS feed) –  Critical Patch Update Advisories –  eBlasts –  Blogs (like blogs.oracle.com/security) §  Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  Correcting and corroborating articles provides more information to attackers §  Many reports don’t provide the required engineering details for proper verification. Technical details like: pre-conditions, impacts, remediation/ mitigation details are light or non-existent. §  Responding to individual reports forces communities to track vulnerabilities in social media sites – not good. 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  The information Oracle releases is: precise, actionable, and everyone receives it at the same time. §  Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Throughout the Development Lifecycle Non-specific lifecycle methodology Concept Analysis Coding Testing Delivery Risk Factors Project Review Peer Review Security Tests Java.com •  Less Scrutiny •  Architecture •  Manual •  Static Analysis •  More Scrutiny •  Compliance •  Automated •  Fuzzing Policy: http://www.oracle.com/us/support/assurance/development/index.html 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Outside the Development Lifecycle Throughout Development Cycle •  GPS •  Ethical Hacking •  Security Training •  Tech Talks …and more. 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Policies - Remediation §  Common Vulnerability Scoring System (CVSS) §  Vulnerabilities reviewed and CVSS score assigned §  Remediation strongly influenced by CVSS score Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security Policies - Remediation §  Critical Patch Updates (CPU) - Security patches –  October, February, June for Java Platform Group –  Java Platform Group Different from Oracle CPU –  Emergency releases are infrequent but do happen §  Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Java CPU Planned 7 GA 7u1 7u2 7u3 7u4 7u5 7u6 7u7 7u9 CPU Non CPU CPU Non CPU CPU Non CPU SecAlert* CPU Every 4 months Rules for Java CPUs § Main release for security vulnerabilities § Covers all families (7, 6, 5.0, 1.4.2) § CPU release triggers Auto-update § Dates published 12 months in advance § Security Alerts are released as necessary § Based off the previous (non-CPU) release § Released simultaneously on java.com and OTN 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Securing Platforms vs. Securing Applications §  Different tools for securing platforms and applications –  Platform development often precedes tool features §  Platforms support a wider range of use cases §  Different techniques for securing platforms and applications 30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Ongoing Security Improvements 31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Theme, Preventing Drive-By Exploitation §  Defense against phishing attacks §  “Best used before” date for JRE security –  Largest number of exploits are against out-of-date software 32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Theme, Preventing Drive-By Exploitation §  Easier to disable Java in Browser (Applet/JNLP) §  Encourage users to uninstall older JREs –  First step, as an applet –  Next step, component of the installer 33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Theme, JRE Security Hardening §  Configurable IT security policy §  More frequent security feeds (blacklists, security baseline updates) 34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Security in Development Communities 35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
What is Impact of Security Incidents? Schedule §  Security firefighting derails the release train Moral §  Security firefighting hits home when your staff burns nights and weekends Confidence §  Too many incidents or too severe shakes confidence 36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Mitigating Security Impacts Before an Incident (otherwise known as Prevention) §  Best incident is the one you can avoid §  Ensure security investments are commensurate with risk §  What should they be? Depends, based upon security maturity During an Incident §  Have an emergency action plan. Relevant leadership? Responsibilities? Process? Actions? Expected outcomes? After an Incident §  Questions may linger for months after an incident §  Have a communications policy and plan of execution 37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Open Source Projects §  Millions of eyeballs does not mean they are trained on security §  Communities focus on what is important to them - features §  If you manage a developer community - set code quality standards §  Ensure the quality standards include security (e.g., OWASP) 38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Restoring Confidence Product Improvement §  Understand your vulnerabilities and get them fixed §  Make new security feature improvements as necessary §  Make it happen Communication §  Code cannot fix a confidence problem §  Likewise communication without action is meaningless §  Make improvements and then communicate your progress The currency of confidence is “hard work” and it’s slow won 39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Call to Action 40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Vulnerability Reporting & Security Feature Suggestions §  Report Vulnerabilities –  Support Customers: My Oracle Support –  Others: secalert_us@oracle.com Policy: http://www.oracle.com/us/support/assurance/reporting/index.html §  Suggest New Features –  http://bugreport.sun.com/bugreport/ 41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Upcoming CPU’s §  April 16, 2013 §  June 18, 2013 §  October 15, 2013 (transition to Oracle CPU schedule) §  January 14, 2013 §  CPUs http://www.oracle.com/technetwork/topics/security/alerts-086861.html 42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Java Platform Support §  I receive many questions on support programs and to answer a few… §  3 Options –  Premier, 5 years from GA –  Extended, Premier + 3 years –  Sustaining, “as long as you own your Oracle products” Disclaimer: No, I don’t receive a commission. ;o) Ref: http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf 43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Java Root Certificate Program §  Like browsers, Java ships with root certificates. §  Our roots establish intrinsic “trust” for Java users. §  Of course, users are always free to include their own certificates. §  Program rules apply, see following link. Ref: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html 44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
Help Us Keep You Secure §  To end users… –  Keep your JRE’s updated (auto-update on) –  Practice defense-in-depth: virus scanner, firewall §  To developers… –  Support current JRE’s so end users can upgrade –  Sign your applications (use timestamp) –  Validate untrusted data (input/output validation) –  Follow Open Web Application Security Project, https://www.owasp.org/ §  All –  Attend new security track at JavaOne 2013 in San Francisco CA, USA 45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
oracle.com/javajobs 46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
47 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public

Empfohlen

Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
Martin Vigo
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
Bjørn Sloth
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
Eoin Keary
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Imperva
 
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Software Park Thailand
 

Empfohlen

Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
Martin Vigo
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
Bjørn Sloth
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
Eoin Keary
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Imperva
 
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันท...
Software Park Thailand
 
Opa @ owasp 2010
Opa @ owasp 2010Opa @ owasp 2010
Opa @ owasp 2010
IamYoric
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Michael Scheidell
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
Michael Scheidell
 
The “Security” in Oracle’s Secure Cloud Infrastructure
The “Security” in Oracle’s Secure Cloud InfrastructureThe “Security” in Oracle’s Secure Cloud Infrastructure
The “Security” in Oracle’s Secure Cloud Infrastructure
MarketingArrowECS_CZ
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822
Cana Ko
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
tmbainjr131
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking Oracle
Ermando
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile Security
Santosh Satam
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
Narinrit Prem-apiwathanokul
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
Peter Wood
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
Xavier Mertens
 
Keynote - Randy Newell of IBM
Keynote - Randy Newell of IBMKeynote - Randy Newell of IBM
Keynote - Randy Newell of IBM
jowen_evansdata
 
Jerry Silver of EMC - Selling Value
Jerry Silver of EMC - Selling ValueJerry Silver of EMC - Selling Value
Jerry Silver of EMC - Selling Value
jowen_evansdata
 
Anne hardy 2013
Anne hardy 2013Anne hardy 2013
Anne hardy 2013
jowen_evansdata
 
Projecte
ProjecteProjecte
Projecte
nomarbe
 
Scott Apeland Intel Keynote
Scott Apeland Intel KeynoteScott Apeland Intel Keynote
Scott Apeland Intel Keynote
jowen_evansdata
 

Weitere ähnliche Inhalte

Was ist angesagt?

Opa @ owasp 2010
Opa @ owasp 2010Opa @ owasp 2010
Opa @ owasp 2010
IamYoric
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Michael Scheidell
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822
Cana Ko
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 

Was ist angesagt? (17)

Opa @ owasp 2010
Opa @ owasp 2010Opa @ owasp 2010
Opa @ owasp 2010
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 
The “Security” in Oracle’s Secure Cloud Infrastructure
The “Security” in Oracle’s Secure Cloud InfrastructureThe “Security” in Oracle’s Secure Cloud Infrastructure
The “Security” in Oracle’s Secure Cloud Infrastructure
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking Oracle
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile Security
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 

Andere mochten auch

Andere mochten auch (6)

Keynote - Randy Newell of IBM
Keynote - Randy Newell of IBMKeynote - Randy Newell of IBM
Keynote - Randy Newell of IBM
 
Jerry Silver of EMC - Selling Value
Jerry Silver of EMC - Selling ValueJerry Silver of EMC - Selling Value
Jerry Silver of EMC - Selling Value
 
Anne hardy 2013
Anne hardy 2013Anne hardy 2013
Anne hardy 2013
 
Projecte
ProjecteProjecte
Projecte
 
Scott Apeland Intel Keynote
Scott Apeland Intel KeynoteScott Apeland Intel Keynote
Scott Apeland Intel Keynote
 
Actuate - Gamification
Actuate - GamificationActuate - Gamification
Actuate - Gamification
 

Ähnlich wie Milton smith 2013

Innovations dbsec-12c-pub
Innovations dbsec-12c-pubInnovations dbsec-12c-pub
Innovations dbsec-12c-pub
OracleIDM
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014
Tech Summit PR 2014
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ss
Rex Wang
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
Data Management in a Microservices World
Data Management in a Microservices WorldData Management in a Microservices World
Data Management in a Microservices World
gvenzl
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
SolarWinds
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 

Ähnlich wie Milton smith 2013 (20)

Java Master Class
Java Master ClassJava Master Class
Java Master Class
 
Con8819 context and risk aware access control any device any where - final
Con8819 context and risk aware access control any device any where - finalCon8819 context and risk aware access control any device any where - final
Con8819 context and risk aware access control any device any where - final
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
Enterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationEnterprise Mobility: Secure Containerization
Enterprise Mobility: Secure Containerization
 
Innovations dbsec-12c-pub
Innovations dbsec-12c-pubInnovations dbsec-12c-pub
Innovations dbsec-12c-pub
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ss
 
Big data and its impact on SOA
Big data and its impact on SOABig data and its impact on SOA
Big data and its impact on SOA
 
Oracle Management Cloud newpres-v1.1
Oracle Management Cloud newpres-v1.1Oracle Management Cloud newpres-v1.1
Oracle Management Cloud newpres-v1.1
 
Oracle OpenWorld | CON9707 Enterprise Mobile Security Architecture beyond the...
Oracle OpenWorld | CON9707 Enterprise Mobile Security Architecture beyond the...Oracle OpenWorld | CON9707 Enterprise Mobile Security Architecture beyond the...
Oracle OpenWorld | CON9707 Enterprise Mobile Security Architecture beyond the...
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Data Management in a Microservices World
Data Management in a Microservices WorldData Management in a Microservices World
Data Management in a Microservices World
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Percona Live - Dublin 02 security + tuning
Percona Live - Dublin 02 security + tuningPercona Live - Dublin 02 security + tuning
Percona Live - Dublin 02 security + tuning
 
MySQL Security Best Practises
MySQL Security Best PractisesMySQL Security Best Practises
MySQL Security Best Practises
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
 
Developing Mobile Applications for iOS and Android the Oracle way
Developing Mobile Applications for iOS and Android the Oracle wayDeveloping Mobile Applications for iOS and Android the Oracle way
Developing Mobile Applications for iOS and Android the Oracle way
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
 
206590 mobilizing your primavera workforce
206590 mobilizing your primavera workforce206590 mobilizing your primavera workforce
206590 mobilizing your primavera workforce
 

Mehr von jowen_evansdata

Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
jowen_evansdata
 

Mehr von jowen_evansdata (9)

Miko matsumura 2013
Miko matsumura 2013Miko matsumura 2013
Miko matsumura 2013
 
Miko matsumura 2013
Miko matsumura 2013Miko matsumura 2013
Miko matsumura 2013
 
Mark finnern 2013
Mark finnern 2013Mark finnern 2013
Mark finnern 2013
 
Jon alperin 2013
Jon alperin 2013Jon alperin 2013
Jon alperin 2013
 
John musser 2013
John musser 2013John musser 2013
John musser 2013
 
Gina poole 2013
Gina poole 2013Gina poole 2013
Gina poole 2013
 
Adam FitzGerald 2013
Adam FitzGerald 2013Adam FitzGerald 2013
Adam FitzGerald 2013
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
 
Steve CP Open Shift Marketing Track Presentation
Steve CP Open Shift Marketing Track PresentationSteve CP Open Shift Marketing Track Presentation
Steve CP Open Shift Marketing Track Presentation
 

Milton smith 2013

  • 1. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 2. Keeping the Future Secure with Java Milton Smith Email: milton.smith@oracle.com Sr. Principal Security PM Blog: http://spoofzu.blogspot.com/ Twitter: @spoofzu 2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 3. Notice "THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE." 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 4. Who Am I? Milton Smith §  Responsible for Java platform security: vision/features, internal/ external communications – everything Java except EE. §  20+ years of programming and specializing in security. §  Former employer was Yahoo! where I managed security for the User Data Analytics property. 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 5. Program Agenda §  Security Industry Challenges §  Risk Choices & Methodologies §  Security at Oracle §  Ongoing Security Improvements §  Security in Development Communities §  Call to Action 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 6. Security Industry & Challenges 6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 7. Java Ecosystem Level of Security Challenge… Facts Desktops §  Java deployed on 97 Percent desktops §  Java deployed on 80 percent of mobile platforms Devices §  Java deployed on 125 million television sets §  1 billion Java downloads per year Community §  9 million developers worldwide Ref: http://www.oracle.com/us/corporate/press/1843546 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 8. Security Threat Landscape A lot has changed since 1995 when Java started… That was Then… This is Now… •  State or Terrorist Cyber •  Data Destruction Warfare •  Denial of Service •  Intellectual Property Theft •  Hacktivism Individual pranksters Well funded and organized 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 9. Why is Java a Favored Target for Attack? §  Java is deployed widely across homes and business computers. §  Multi-platform features of Java allow attackers to indiscriminately target Windows, Mac, and even Linux versions. §  Unlike data centers, physical and logical security controls for the home systems are less sophisticated. 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 10. What Uses of Java are Highest Risk? Highest Risk… §  Java Applets and Web Start plugins running in the browser. Why… §  Java users have valuable information (e.g., credit cards, licensee keys, etc) §  Java desktops security controls are either missing or poorly configured 10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 11. Strong Security is the Expectation… Challenges across entire industry… §  Security concerns across industry are elevated §  Strong vs. poor security is difficult for users to evaluate 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 12. Risk Choices & Methodologies 12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 13. Risk vs. Reward WE MAKE CHOICES BASED UPON RISK EVERY DAY THIS IS HOW HUMANS FUNCTION 13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 14. Everyday Risk Choices Do animals drink at the water hole? Animals with big teeth may be present. –  Answer = Depends, how thirsty. 14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 15. Everyday Risk Choices Everyone treated by a doctor – has or will die. Success rate is precisely zero. Do we continue to visit doctors? –  Answer = Yes! 15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 16. Everyday Risk Choices Life is risky. Do we visit the doctor every day for a check-up? –  Answer = No! 16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 17. Risk Based Security Methodology §  Many of us today use informal risk based approaches. §  Some don’t take the next steps – formalize thoughts about risk and how it governs our behavior. §  Risk methodology helps drive security decisions 17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 18. Security Risk Applied to a Web Application Example §  A few simple considerations… –  How important is the application to the business? Dollar loss, compliance requirements, inconvenience? –  Internet facing application interfaces (web, web data services)? –  Any unauthenticated application interfaces (no logon)? –  and many more factors… §  Platforms have different concerns but the approach is similar 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 19. Security at Oracle 19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 20. Why is Security Important to Oracle? Java is at the center of our applications Your Apps Java Platform ORA Vendor Apps Apps 20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 21. Overview – Larger Security Policy Areas § SA/CPU RSS § Architecture Review Feeds § Peer Review § Security Blog § Security Testing Communications Development § eBlasts § Post Mortems Lifecycle § Java.com Security Security § CPU Remediation § Security Alerts 21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 22. Security Policies - Communications §  Security news & alerts are communicated via several channels –  Security Alerts (RSS feed) –  Critical Patch Update Advisories –  eBlasts –  Blogs (like blogs.oracle.com/security) §  Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 23. Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  Correcting and corroborating articles provides more information to attackers §  Many reports don’t provide the required engineering details for proper verification. Technical details like: pre-conditions, impacts, remediation/ mitigation details are light or non-existent. §  Responding to individual reports forces communities to track vulnerabilities in social media sites – not good. 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 24. Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  The information Oracle releases is: precise, actionable, and everyone receives it at the same time. §  Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 25. Security Throughout the Development Lifecycle Non-specific lifecycle methodology Concept Analysis Coding Testing Delivery Risk Factors Project Review Peer Review Security Tests Java.com •  Less Scrutiny •  Architecture •  Manual •  Static Analysis •  More Scrutiny •  Compliance •  Automated •  Fuzzing Policy: http://www.oracle.com/us/support/assurance/development/index.html 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 26. Outside the Development Lifecycle Throughout Development Cycle •  GPS •  Ethical Hacking •  Security Training •  Tech Talks …and more. 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 27. Security Policies - Remediation §  Common Vulnerability Scoring System (CVSS) §  Vulnerabilities reviewed and CVSS score assigned §  Remediation strongly influenced by CVSS score Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 28. Security Policies - Remediation §  Critical Patch Updates (CPU) - Security patches –  October, February, June for Java Platform Group –  Java Platform Group Different from Oracle CPU –  Emergency releases are infrequent but do happen §  Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 29. Java CPU Planned 7 GA 7u1 7u2 7u3 7u4 7u5 7u6 7u7 7u9 CPU Non CPU CPU Non CPU CPU Non CPU SecAlert* CPU Every 4 months Rules for Java CPUs § Main release for security vulnerabilities § Covers all families (7, 6, 5.0, 1.4.2) § CPU release triggers Auto-update § Dates published 12 months in advance § Security Alerts are released as necessary § Based off the previous (non-CPU) release § Released simultaneously on java.com and OTN 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 30. Securing Platforms vs. Securing Applications §  Different tools for securing platforms and applications –  Platform development often precedes tool features §  Platforms support a wider range of use cases §  Different techniques for securing platforms and applications 30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 31. Ongoing Security Improvements 31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 32. Theme, Preventing Drive-By Exploitation §  Defense against phishing attacks §  “Best used before” date for JRE security –  Largest number of exploits are against out-of-date software 32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 33. Theme, Preventing Drive-By Exploitation §  Easier to disable Java in Browser (Applet/JNLP) §  Encourage users to uninstall older JREs –  First step, as an applet –  Next step, component of the installer 33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 34. Theme, JRE Security Hardening §  Configurable IT security policy §  More frequent security feeds (blacklists, security baseline updates) 34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 35. Security in Development Communities 35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 36. What is Impact of Security Incidents? Schedule §  Security firefighting derails the release train Moral §  Security firefighting hits home when your staff burns nights and weekends Confidence §  Too many incidents or too severe shakes confidence 36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 37. Mitigating Security Impacts Before an Incident (otherwise known as Prevention) §  Best incident is the one you can avoid §  Ensure security investments are commensurate with risk §  What should they be? Depends, based upon security maturity During an Incident §  Have an emergency action plan. Relevant leadership? Responsibilities? Process? Actions? Expected outcomes? After an Incident §  Questions may linger for months after an incident §  Have a communications policy and plan of execution 37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 38. Open Source Projects §  Millions of eyeballs does not mean they are trained on security §  Communities focus on what is important to them - features §  If you manage a developer community - set code quality standards §  Ensure the quality standards include security (e.g., OWASP) 38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 39. Restoring Confidence Product Improvement §  Understand your vulnerabilities and get them fixed §  Make new security feature improvements as necessary §  Make it happen Communication §  Code cannot fix a confidence problem §  Likewise communication without action is meaningless §  Make improvements and then communicate your progress The currency of confidence is “hard work” and it’s slow won 39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 40. Call to Action 40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 41. Vulnerability Reporting & Security Feature Suggestions §  Report Vulnerabilities –  Support Customers: My Oracle Support –  Others: secalert_us@oracle.com Policy: http://www.oracle.com/us/support/assurance/reporting/index.html §  Suggest New Features –  http://bugreport.sun.com/bugreport/ 41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 42. Upcoming CPU’s §  April 16, 2013 §  June 18, 2013 §  October 15, 2013 (transition to Oracle CPU schedule) §  January 14, 2013 §  CPUs http://www.oracle.com/technetwork/topics/security/alerts-086861.html 42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 43. Java Platform Support §  I receive many questions on support programs and to answer a few… §  3 Options –  Premier, 5 years from GA –  Extended, Premier + 3 years –  Sustaining, “as long as you own your Oracle products” Disclaimer: No, I don’t receive a commission. ;o) Ref: http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf 43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 44. Java Root Certificate Program §  Like browsers, Java ships with root certificates. §  Our roots establish intrinsic “trust” for Java users. §  Of course, users are always free to include their own certificates. §  Program rules apply, see following link. Ref: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html 44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 45. Help Us Keep You Secure §  To end users… –  Keep your JRE’s updated (auto-update on) –  Practice defense-in-depth: virus scanner, firewall §  To developers… –  Support current JRE’s so end users can upgrade –  Sign your applications (use timestamp) –  Validate untrusted data (input/output validation) –  Follow Open Web Application Security Project, https://www.owasp.org/ §  All –  Attend new security track at JavaOne 2013 in San Francisco CA, USA 45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 46. oracle.com/javajobs 46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 47. 47 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public