Sr. Developer Advocate for Snyk, Java Champion, and Software Engineer with over a decade of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is a JUG leader for the Virtual JUG and the NLJUG. He also co-leads the DevSecCon community and is a community manager for Foojay. He is a regular international speaker on mostly Java-related conferences like JavaOne, Devnexus, Devoxx, Jfokus, JavaZone and many more. Besides all that, Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.
Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. Next, I will show that deserializing XML, JSON, and YAML can also get you into trouble. And of course, we had the recent Log4j problems with deserialization. Many different problems can occur when deserializing data and in this session, I will use several demos to illustrate various security issues. How do you avoid these issues? I will give you some pointers on how to mitigate these problems in your own applications, this also includes new features in Java 17. At the end of this session, you will have an understanding of the problem space and be able to take action in your code to prevent it.
Building cloud-native Java applications is undoubtedly awesome.
However, it comes with undeniable new risks. Next to your own code, you are relying on so many other things.
Blindly depending on open-source libraries and Docker images can form a massive risk for your application.
The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data.
Join this talk where we’ll show common threats, vulnerabilities, and misconfiguration including the recently disclosed issues in Log4j.
Most importantly, you’ll learn how to protect your application with actionable remediation and best practices.
The Log4j security vulnerability better known as Log4Shell was the most severe security issue in years. In this minilab, we will explore and rebuild the exploit in an old and new versions of Java. After this lab, you have a better understanding of this security vulnerability. More importantly, you know why and how to fix similar problems in your application.