How to hack and secure your Java web application
Published April 16th, 2009 Under Coding | 1 Comment
Although Java offers some great security ‘features’, this talk will handle the lack of ‘build in’ security when you develop your web applications. Security is not an on/off button or parameter you activate for your deployment! Some real world hacks will be demonstrated to show how easy it is to break the confidentiality or integrity of your data and how easy it is to break you web application! To finish off in a positive note: it IS possible to do it the right way. Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. OWASP tools and methodologies such as OWASP Java security, source code security review and the enterprise security provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques.
Tomcat: Maximizing Performance & Security
Published November 24th, 2008 Under Architecture, Open Source Tools | Leave a Comment
Mark Thomas, a senior software engineer from SpringSource and the leading contributor to Tomcat security, talks about how security vulnerabilities are handled by the Tomcat team and how end users are served while preventing security problems. Mark discusses how using an open source project has the following disadvantage: as soon as a new version is published, the new version can be reverse engineered and vulnerabilities can be discovered. Therefore, commits are not announced as security vulnerabilities. Once a release is available for download vulnerabilities are announced. Mark gives some examples of previous security issues and explains them briefly. Some of the vulnerabilities do not apply for all versions of a release. Upgrading or patching can be appropriate solutions in most cases. Mark demonstrates how these are done by changing the Tomcat configuration. Clustering can be another option and he explains how can this be achieved towards the end of the talk.
Advanced Threat Modeling
Published September 9th, 2008 Under Architecture, Coding | Leave a Comment
In this presentation, John Steven talks about modeling security threats as a way to discover, understand and counteract threats while designing the system architecture. John presents threat modeling through examples focusing on authentication, authorization and session management.
John Steven is a Technical Director with Cigital, Inc. and a founding member of the company’s Office of the CTO. His experience spans consulting, distributed systems architecture, operating systems, and software quality and security research. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.
« go back