-
Avoid Java Serialization!
Serialization in Java allows us to transform an object to a byte stream. This byte stream is either saved to disk or transported to another system. The other way around, a byte stream can be deserialized and allows us to recreate the original object.
If you need to Deserialize an inputstream yourself, you should use an ObjectsInputStream with restrictions. A nice example of this is the ValidatingObjectInputStream from Apache Commons IO. This ObjectInputStream checks whether the object that is deserialized, is allowed or not.
-
How to Configure Your Java XML Parsers to Prevent XXE Attacks
With XML eXternal Entity (XXE) enabled, it is possible to create a malicious XML, as shown below, and read the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities. Java XML libraries are particularly vulnerable to XXE injection because most XML parsers have external entities by default enabled.
Changing the default settings of the DefaultHandler and the Java SAX parser to disallow external entities and doctypes for xerces1 or xerces2, respectively, prevents these kinds of attacks.
-
Securing Microservices with Auth0 and MicroProfile in Kubernetes
In this day and age, securing enterprise platforms is a challenge that developers and consultants tackle in an uninformed manner, producing subpar solutions in most cases.
This presentation by Ondrej Mihalyi at DevOpsCon showcases the strength of combining MicroProfile and an OAuth service by doing a live demonstration of securing enterprise Java microservices in Kubernetes.
-
Fixing Vulnerabilities in Maven Projects
Maven is still the most used build system in the Java ecosystem. According to the JVM report 2020, Maven is the number one build tool in the ecosystem with two-thirds of the share.
Therefore, it is important to now how Maven works. For instance, if you find vulnerabilities in your Maven project using Snyk, how can you fix them?
-
foojay: A Place for Friends of OpenJDK
It’s exciting to have foojay as a place to provide information to everyday Java developers and to work collaboratively on evolving foojay content to provide commentaries on the latest Java developments.
We’re actively looking for highly skilled and knowledgeable Java developers to join us (we are even hiring for that purpose) and our aim is for foojay to increasingly become a place of sharing reference materials and discussion throughout the Java industry.
