SlideShare a Scribd company logo

Securing Java Server Apps

Chris Bailey
Chris Bailey

Java has a security model targeted at running applets and untrusted code, so you don’t need to worry about running your own code on your own servers, right? In fact, there are several vulnerability patterns that can affect server-side Java applications, and this presentation outlines some of the steps you should take to ensure that your server room is not compromised. It looks at the established techniques for enhancing your security and shows new technology from IBM that addresses several attack vectors.

Technology
1 of 28
Download to read offline
JavaOne 2013 Securing Java in the Server Room Tim Ellison, IBM United Kingdom Ltd. CON 3636 © 2013 IBM Corporation
Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
“The only secure computer is one that is unplugged, locked in a safe, and buried 20 feet under ground in a secret location ... and I am not even too sure about that one.” attributed to Dennis Huges, F.B.I. Flickr: buster19761976 © 2013 IBM Corporation
The nature of server-side security © 2013 IBM Corporation
Client-side computing  Clients perform multiple tasks for a single user  Variety of devices, operating systems, and applications  Typically connect over untrusted networks  Under control of individuals disassociated with the services it uses  May be compromised, or deliberately used to challenge the security of the server Flickr: NielsBD © 2013 IBM Corporation
Server-side computing  Servers typically perform a single task for multiple users  Usually more powerful computing capacity than clients  Running controlled applications  Connecting to a wide variety of clients and back end systems  Servers are considered a higher value target to attackers because: – more valuable to the owning organization's business – they provide a service to multiple users – have access to data regarding multiple clients / services © 2013 IBM Corporation
Server security  Server side security is distributed across a number of systems and zones  Requests must pass through multiple checks before reaching the server platform Inner DMZ filter Outer DMZ filter Client filter  Specialized filters and applications run at each level to scrub the requests and check for abnormal behaviors that indicate a security breach Server platform © 2013 IBM Corporation
Securing the computing platform  Host intrusion detection and prevention system – – – – Monitor the system activity to identify and block malicious activities Identify the suspicious activity by comparing to known good signatures of activity Block suspicious activities and raises operator alerts Maintain the integrity of the server  Firewall – Interface between trusted and untrusted networks – Ensure server's network connections are within policy – Limited level of application knowledge security  Antivirus software – Identify and prevent spread of malware in the trusted network – Often black-list or heuristics based – Servers can have more restrictive white-list detection © 2013 IBM Corporation
Securing the cloud computing platform  Cloud service platforms – Service provider must be trusted – Outsourcing some security considerations (can be a good thing!) – Ability to control details of server infrastructure is limited – Sensitive data must leave the organization  Virtualized servers – Resources are shared, potentially with untrusted tenants – Applications may be migrated dynamically between hosts – Protection appliances and software should be virtualization-aware © 2013 IBM Corporation
Securing Java in the server room  While Java may be used to implement the filters and zone software, we will focus on the application service provider running on the server platform Client Outer DMZ Inner DMZ Risks Server platform – Data-loss / exposure – Denial of service – Data and process integrity – Bad actors – Suppliers (code and services) © 2013 IBM Corporation
Writing secure applications in Java  Secure applications require a whole life-cycle approach – Secure requirements, threat modelling, risk analysis, secure coding, security testing, security documentation, incident response policy – Management of third-party dependencies – Source code management – Coding guidelines – Compiler settings and analysis tools – Explicit security testing  Use Java's strengths appropriately – – – – – Java has strong typing, array bounds checking, bytecode verification, JAR signing, ... Java also has a number of legacy/unsafe APIs and defaults that are inappropriate for secure coding No strong model for data security May have to call out to other languages ...this is where there are lessons to be learnt © 2013 IBM Corporation
Sources of server-side Java security information © 2013 IBM Corporation
Common Vulnerabilities and Exposures  Standardized naming authority for known vulnerabilities and exposures  A common name helps identify the same issue across multiple vendors, tools, releases, etc  Contains brief information, such as status indicator, short description, and related issues  No description of impact, fix information, or detailed technical information  Contains approx. 57,000 CVEs National Vulnerability Database  US Government repository for vulnerability management data  Indexed by CVE, gives assessment of impact, complexity of exploit, technical details, and links to vendor information, etc  Utilizes the “Common Vulnerability Scoring System (CVSS)” to assess vulnerabilities © 2013 IBM Corporation
Common Weakness Enumeration  List of software weaknesses across various languages – – – – Sponsored by Office of Cybersecurity and Communications, U.S. Department of Homeland Security Contributions by a broad community including a wide variety of organizations Shared resource for software developers, tools vendors, security researchers, educators, etc. CWE Compatibility and Effectiveness Program for certifying products and services  CWE version 2.5 – 940 vulnerabilities described, categorized into 187 different categories – Complete with taxonomy, examples, consequences, relationships, etc. – 73 are classified as weaknesses specific to software written in Java  The “Top 25 CWEs” represent the most significant exploitable software constructs  Utilizes the Common Weakness Scoring System, and Common Weakness Risk Analysis Framework – Gives a quantitative measurement of the unfixed weaknessis in an application – Rates weaknesses in terms of impact to business © 2013 IBM Corporation
Open Web Application Security Project  Community driven open source materials related to software security – Raising awareness about risks and specific coding vulnerabilitites – Advocate risk management approach rather than find and patch  Publish a Top 10 list of most critical web app security risks  Vulnerabilities are classified to enable the likely impact to the business © 2013 IBM Corporation
Vendor Security Bulletins  Specific information about security vulnerabilities that may affect vendor products are published on-line Java Specific Notices  e.g. IBM Product Security Incident Response – https://www.ibm.com/blogs/PSIRT  e.g. Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin – http://www.oracle.com/technetwork/topics/security/alerts086861.html © 2013 IBM Corporation
A closer look at server-side security © 2013 IBM Corporation
Simplified Server Application Architecture  Useful to consider the various weaknesses in the context of a simplified server architecture User Sessions & Data Application Middleware Java filter OS Platform Client Interface Database data data © 2013 IBM Corporation
Computing Platform User Sessions Application Potential issues attributed to the application's computing platform  Risks from mis-configuration or manipulation of the computer system hosting the application. Middleware Java OS Platform Client Interface Database  Vulnerabilities affecting the safe and secure operation of the application and its data by deliberate or inadvertent unauthorized manipulation of the system. Examples CWE-842: Placement of User into Incorrect Group The software or the administrator places a user into an incorrect group. CWE-605: Multiple Binds to the Same Port When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. CWE-405: Asymmetric Resource Consumption (Amplification) Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
Java Platform User Sessions Application Potential issues attributed to Java-specific weaknesses  Using APIs as they are intended to be used, and adopting mitigating actions for those with known high risk. Middleware Java OS Platform Client Interface Database  Designing the application and using coding patterns that promote secure practices, while avoiding those shown to be at risk of introducing vulnerabilities. Examples CWE-227: Improper Fulfillment of API Contract ('API Abuse') The software uses an API in a manner contrary to its intended use, or makes assumptions that are not assured by the API documentation. CWE-487: Reliance on Package Level Scope Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Application and Middleware User Sessions Application Potential issues attributed to concepts in the application middleware stack  Ensuring correct usage of high-level concepts and their semantics by developers. Middleware Java OS Platform Client Interface Database  Potential risks by defining behavior and manipulating data at Examples different levels of application-defined authority. CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session The application stores a non-serializable object as an HttpSession attribute, which means the session cannot be replicated across JVMs. CWE-613: Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
User Sessions User Sessions Potential issues attributed to concepts in management of user level controls Java  Ensuring that the logical unit of work encapsulated as application sessions are secure, robust, and do not lead to data exposure. Application Middleware OS Platform Client Interface Database  Protecting the integrity of shared secrets and methods for establishing identity of users, systems, applications, etc Examples CWE-268: Privilege Chaining Privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. CWE-272: Least Privilege Violation Elevated privilege levels required to perform operations should be dropped immediately after the operation is performed. CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision Attackers can easily modify cookies and can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. CWE-732: Incorrect Permission Assignment for Critical Resource Giving permissions to a wider range of actors than required, could lead to the exposure of sensitive information, or the modification of that resource by unintended parties.
Client Interface User Sessions Risks for systems that depend upon secure communications Application Middleware  Avoiding numerous risks that may diminish the assurances of secrecy through the use of cryptographic techniques. Java OS Platform Client Interface Database  Protecting the integrity of secure data exchange and methods for establishing identity of the participants. Examples CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CWE-337: Predictable Seed in PRNG A PRNG is initialized from a predictable seed, e.g. using process ID or system time. CWE-299: Improper Check for Certificate Revocation The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. CWE-297: Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
Database User Sessions Risks in managing the data you use to achieve a business objective Application Middleware  Risks associated with application data being modified by, or exposed to, those with no business need for such access. Java OS Platform Client Interface Database  Increasing the security assurances around application data that is exposed to external storage, either temporarily or permanently. Examples CWE-313: Cleartext Storage in a File or on Disk The application stores sensitive information in cleartext in a file, or on disk that could be read by attackers with access to the file, or with physical or administrator access to the raw disk. CWE-499: Serializable Class Containing Sensitive Data The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. CWE-359: Privacy Violation Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal..
System Data User Sessions Consideration of risks handling data associated with the computing platform itself  Risks associated with storing descriptive system history in shared log locations. Application Middleware Java OS Platform Client Interface Database  Risks of inadvertently disclosing through system tools and behavior information that is protected by the application. Examples CWE-532: Information Exposure Through Log Files While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. CWE-208: Information Exposure Through Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. CWE-530: Exposure of Backup File to an Unauthorized Control Sphere A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.
Summary – securing Java in the server room  Planning  risk assessment for type of application  define integrity and confidentiality goals  identify applicable policies  assurances about the computing platform  Development  secure engineering practices  mitigation and avoidance of known risks  security testing and review  user and administrator guidance  Operations  configuration management control and auditing  intrusion detection and monitoring  action plan for dealing with security incidents  contingency planning
Securing Java Server Apps

Recommended

Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
Impact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsImpact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsChris Bailey
 
JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013richardgcurtis
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
JavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryJavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryRyan Sciampacone
 
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRJavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRRyan Sciampacone
 

Recommended

Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
Impact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsImpact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsChris Bailey
 
JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013richardgcurtis
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
JavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryJavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryRyan Sciampacone
 
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRJavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRRyan Sciampacone
 
Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VMTim Ellison
 
Java on zSystems zOS
Java on zSystems zOSJava on zSystems zOS
Java on zSystems zOSTim Ellison
 
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...WASdev Community
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXIBMInfoSphereUGFR
 
A Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceA Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceTim Ellison
 
Bfc Presentation
Bfc PresentationBfc Presentation
Bfc PresentationHerea Adrian
 
The Bluemix Quadruple Threat
The Bluemix Quadruple ThreatThe Bluemix Quadruple Threat
The Bluemix Quadruple ThreatRam Vennam
 
Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0lisanl
 
Five cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark fasterFive cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark fasterTim Ellison
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMWASdev Community
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...David Currie
 
Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2lisanl
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss MigrationXebia IT Architects
 
z/VM and OpenStack
z/VM and OpenStackz/VM and OpenStack
z/VM and OpenStackOpenStack_Online
 
Ibm urbancode deploy concepts
Ibm urbancode deploy conceptsIbm urbancode deploy concepts
Ibm urbancode deploy conceptsJoseph's WebSphere Library
 
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver VMworld
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps IBM UrbanCode Products
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 

More Related Content

What's hot

Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VMTim Ellison
 
Java on zSystems zOS
Java on zSystems zOSJava on zSystems zOS
Java on zSystems zOSTim Ellison
 
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...WASdev Community
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXIBMInfoSphereUGFR
 
A Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceA Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceTim Ellison
 
The Bluemix Quadruple Threat
The Bluemix Quadruple ThreatThe Bluemix Quadruple Threat
The Bluemix Quadruple ThreatRam Vennam
 
Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0lisanl
 
Five cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark fasterFive cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark fasterTim Ellison
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMWASdev Community
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...David Currie
 
Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2lisanl
 
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver VMworld
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps IBM UrbanCode Products
 

What's hot (20)

Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VM
 
Java on zSystems zOS
Java on zSystems zOSJava on zSystems zOS
Java on zSystems zOS
 
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
AAI-3281 Smarter Production with WebSphere Application Server ND Intelligent ...
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
 
A Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceA Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark Performance
 
Bfc Presentation
Bfc PresentationBfc Presentation
Bfc Presentation
 
The Bluemix Quadruple Threat
The Bluemix Quadruple ThreatThe Bluemix Quadruple Threat
The Bluemix Quadruple Threat
 
Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0Streams Studio Support for IBM InfoSphere Streams V4.0
Streams Studio Support for IBM InfoSphere Streams V4.0
 
Five cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark fasterFive cool ways the JVM can run Apache Spark faster
Five cool ways the JVM can run Apache Spark faster
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPM
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
Microservice Builder: A Microservice DevOps Pipeline for Rapid Delivery and P...
 
Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2Toolkits Overview for IBM Streams V4.2
Toolkits Overview for IBM Streams V4.2
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
 
z/VM and OpenStack
z/VM and OpenStackz/VM and OpenStack
z/VM and OpenStack
 
Ibm urbancode deploy concepts
Ibm urbancode deploy conceptsIbm urbancode deploy concepts
Ibm urbancode deploy concepts
 
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
VMworld 2013: How to Replace Websphere Application Server (WAS) with TCserver
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
Mobile to mainframe - The Challenges and Best Practices of Enterprise DevOps
 

Similar to Securing Java Server Apps

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsRay Overby
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
University Management System - UMS-X1 Technical Data
University Management System - UMS-X1 Technical DataUniversity Management System - UMS-X1 Technical Data
University Management System - UMS-X1 Technical DataNasser Hassan
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_dsArun Gopinath
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server zOSCommserver
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Seven deadly threats and vulnerabilities in cloud
Seven deadly threats and vulnerabilities in cloudSeven deadly threats and vulnerabilities in cloud
Seven deadly threats and vulnerabilities in cloudcloudresearcher
 
Seven Deadly Threats and Vulnerabilities in Cloud Computing
Seven Deadly Threats and Vulnerabilities in Cloud ComputingSeven Deadly Threats and Vulnerabilities in Cloud Computing
Seven Deadly Threats and Vulnerabilities in Cloud ComputingMervat Bamiah
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 

Similar to Securing Java Server Apps (20)

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity Gaps
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
University Management System - UMS-X1 Technical Data
University Management System - UMS-X1 Technical DataUniversity Management System - UMS-X1 Technical Data
University Management System - UMS-X1 Technical Data
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_ds
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Seven deadly threats and vulnerabilities in cloud
Seven deadly threats and vulnerabilities in cloudSeven deadly threats and vulnerabilities in cloud
Seven deadly threats and vulnerabilities in cloud
 
Seven Deadly Threats and Vulnerabilities in Cloud Computing
Seven Deadly Threats and Vulnerabilities in Cloud ComputingSeven Deadly Threats and Vulnerabilities in Cloud Computing
Seven Deadly Threats and Vulnerabilities in Cloud Computing
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Servers
 
CloudSecurity
CloudSecurityCloudSecurity
CloudSecurity
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 

More from Chris Bailey

NodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksNodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksChris Bailey
 
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSVoxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSChris Bailey
 
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldSilicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldChris Bailey
 
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedFaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedChris Bailey
 
AltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionAltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionChris Bailey
 
Server-side Swift with Swagger
Server-side Swift with SwaggerServer-side Swift with Swagger
Server-side Swift with SwaggerChris Bailey
 
Node Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsNode Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsChris Bailey
 
Index - BFFs vs GraphQL
Index - BFFs vs GraphQLIndex - BFFs vs GraphQL
Index - BFFs vs GraphQLChris Bailey
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesChris Bailey
 
Swift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftSwift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftChris Bailey
 
Try!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftTry!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftChris Bailey
 
Swift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionSwift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionChris Bailey
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesChris Bailey
 
IBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftIBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftChris Bailey
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesChris Bailey
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftChris Bailey
 
AltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesAltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesChris Bailey
 
InterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersInterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersChris Bailey
 
InterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenInterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenChris Bailey
 
Playgrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFPlaygrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFChris Bailey
 

More from Chris Bailey (20)

NodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksNodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets Frameworks
 
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSVoxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
 
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldSilicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
 
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedFaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
 
AltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionAltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the Union
 
Server-side Swift with Swagger
Server-side Swift with SwaggerServer-side Swift with Swagger
Server-side Swift with Swagger
 
Node Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsNode Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.js
 
Index - BFFs vs GraphQL
Index - BFFs vs GraphQLIndex - BFFs vs GraphQL
Index - BFFs vs GraphQL
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift Microservices
 
Swift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftSwift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack Swift
 
Try!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftTry!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is Swift
 
Swift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionSwift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the Union
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 
IBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftIBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and Swift
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) Swift
 
AltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesAltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 Minutes
 
InterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersInterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java Developers
 
InterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenInterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and When
 
Playgrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFPlaygrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFF
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Securing Java Server Apps

  • 1. JavaOne 2013 Securing Java in the Server Room Tim Ellison, IBM United Kingdom Ltd. CON 3636 © 2013 IBM Corporation
  • 2. Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
  • 3. About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
  • 4. “The only secure computer is one that is unplugged, locked in a safe, and buried 20 feet under ground in a secret location ... and I am not even too sure about that one.” attributed to Dennis Huges, F.B.I. Flickr: buster19761976 © 2013 IBM Corporation
  • 5. The nature of server-side security © 2013 IBM Corporation
  • 6. Client-side computing  Clients perform multiple tasks for a single user  Variety of devices, operating systems, and applications  Typically connect over untrusted networks  Under control of individuals disassociated with the services it uses  May be compromised, or deliberately used to challenge the security of the server Flickr: NielsBD © 2013 IBM Corporation
  • 7. Server-side computing  Servers typically perform a single task for multiple users  Usually more powerful computing capacity than clients  Running controlled applications  Connecting to a wide variety of clients and back end systems  Servers are considered a higher value target to attackers because: – more valuable to the owning organization's business – they provide a service to multiple users – have access to data regarding multiple clients / services © 2013 IBM Corporation
  • 8. Server security  Server side security is distributed across a number of systems and zones  Requests must pass through multiple checks before reaching the server platform Inner DMZ filter Outer DMZ filter Client filter  Specialized filters and applications run at each level to scrub the requests and check for abnormal behaviors that indicate a security breach Server platform © 2013 IBM Corporation
  • 9. Securing the computing platform  Host intrusion detection and prevention system – – – – Monitor the system activity to identify and block malicious activities Identify the suspicious activity by comparing to known good signatures of activity Block suspicious activities and raises operator alerts Maintain the integrity of the server  Firewall – Interface between trusted and untrusted networks – Ensure server's network connections are within policy – Limited level of application knowledge security  Antivirus software – Identify and prevent spread of malware in the trusted network – Often black-list or heuristics based – Servers can have more restrictive white-list detection © 2013 IBM Corporation
  • 10. Securing the cloud computing platform  Cloud service platforms – Service provider must be trusted – Outsourcing some security considerations (can be a good thing!) – Ability to control details of server infrastructure is limited – Sensitive data must leave the organization  Virtualized servers – Resources are shared, potentially with untrusted tenants – Applications may be migrated dynamically between hosts – Protection appliances and software should be virtualization-aware © 2013 IBM Corporation
  • 11. Securing Java in the server room  While Java may be used to implement the filters and zone software, we will focus on the application service provider running on the server platform Client Outer DMZ Inner DMZ Risks Server platform – Data-loss / exposure – Denial of service – Data and process integrity – Bad actors – Suppliers (code and services) © 2013 IBM Corporation
  • 12. Writing secure applications in Java  Secure applications require a whole life-cycle approach – Secure requirements, threat modelling, risk analysis, secure coding, security testing, security documentation, incident response policy – Management of third-party dependencies – Source code management – Coding guidelines – Compiler settings and analysis tools – Explicit security testing  Use Java's strengths appropriately – – – – – Java has strong typing, array bounds checking, bytecode verification, JAR signing, ... Java also has a number of legacy/unsafe APIs and defaults that are inappropriate for secure coding No strong model for data security May have to call out to other languages ...this is where there are lessons to be learnt © 2013 IBM Corporation
  • 13. Sources of server-side Java security information © 2013 IBM Corporation
  • 14. Common Vulnerabilities and Exposures  Standardized naming authority for known vulnerabilities and exposures  A common name helps identify the same issue across multiple vendors, tools, releases, etc  Contains brief information, such as status indicator, short description, and related issues  No description of impact, fix information, or detailed technical information  Contains approx. 57,000 CVEs National Vulnerability Database  US Government repository for vulnerability management data  Indexed by CVE, gives assessment of impact, complexity of exploit, technical details, and links to vendor information, etc  Utilizes the “Common Vulnerability Scoring System (CVSS)” to assess vulnerabilities © 2013 IBM Corporation
  • 15. Common Weakness Enumeration  List of software weaknesses across various languages – – – – Sponsored by Office of Cybersecurity and Communications, U.S. Department of Homeland Security Contributions by a broad community including a wide variety of organizations Shared resource for software developers, tools vendors, security researchers, educators, etc. CWE Compatibility and Effectiveness Program for certifying products and services  CWE version 2.5 – 940 vulnerabilities described, categorized into 187 different categories – Complete with taxonomy, examples, consequences, relationships, etc. – 73 are classified as weaknesses specific to software written in Java  The “Top 25 CWEs” represent the most significant exploitable software constructs  Utilizes the Common Weakness Scoring System, and Common Weakness Risk Analysis Framework – Gives a quantitative measurement of the unfixed weaknessis in an application – Rates weaknesses in terms of impact to business © 2013 IBM Corporation
  • 16. Open Web Application Security Project  Community driven open source materials related to software security – Raising awareness about risks and specific coding vulnerabilitites – Advocate risk management approach rather than find and patch  Publish a Top 10 list of most critical web app security risks  Vulnerabilities are classified to enable the likely impact to the business © 2013 IBM Corporation
  • 17. Vendor Security Bulletins  Specific information about security vulnerabilities that may affect vendor products are published on-line Java Specific Notices  e.g. IBM Product Security Incident Response – https://www.ibm.com/blogs/PSIRT  e.g. Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin – http://www.oracle.com/technetwork/topics/security/alerts086861.html © 2013 IBM Corporation
  • 18. A closer look at server-side security © 2013 IBM Corporation
  • 19. Simplified Server Application Architecture  Useful to consider the various weaknesses in the context of a simplified server architecture User Sessions & Data Application Middleware Java filter OS Platform Client Interface Database data data © 2013 IBM Corporation
  • 20. Computing Platform User Sessions Application Potential issues attributed to the application's computing platform  Risks from mis-configuration or manipulation of the computer system hosting the application. Middleware Java OS Platform Client Interface Database  Vulnerabilities affecting the safe and secure operation of the application and its data by deliberate or inadvertent unauthorized manipulation of the system. Examples CWE-842: Placement of User into Incorrect Group The software or the administrator places a user into an incorrect group. CWE-605: Multiple Binds to the Same Port When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. CWE-405: Asymmetric Resource Consumption (Amplification) Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
  • 21. Java Platform User Sessions Application Potential issues attributed to Java-specific weaknesses  Using APIs as they are intended to be used, and adopting mitigating actions for those with known high risk. Middleware Java OS Platform Client Interface Database  Designing the application and using coding patterns that promote secure practices, while avoiding those shown to be at risk of introducing vulnerabilities. Examples CWE-227: Improper Fulfillment of API Contract ('API Abuse') The software uses an API in a manner contrary to its intended use, or makes assumptions that are not assured by the API documentation. CWE-487: Reliance on Package Level Scope Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
  • 22. Application and Middleware User Sessions Application Potential issues attributed to concepts in the application middleware stack  Ensuring correct usage of high-level concepts and their semantics by developers. Middleware Java OS Platform Client Interface Database  Potential risks by defining behavior and manipulating data at Examples different levels of application-defined authority. CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session The application stores a non-serializable object as an HttpSession attribute, which means the session cannot be replicated across JVMs. CWE-613: Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
  • 23. User Sessions User Sessions Potential issues attributed to concepts in management of user level controls Java  Ensuring that the logical unit of work encapsulated as application sessions are secure, robust, and do not lead to data exposure. Application Middleware OS Platform Client Interface Database  Protecting the integrity of shared secrets and methods for establishing identity of users, systems, applications, etc Examples CWE-268: Privilege Chaining Privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. CWE-272: Least Privilege Violation Elevated privilege levels required to perform operations should be dropped immediately after the operation is performed. CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision Attackers can easily modify cookies and can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. CWE-732: Incorrect Permission Assignment for Critical Resource Giving permissions to a wider range of actors than required, could lead to the exposure of sensitive information, or the modification of that resource by unintended parties.
  • 24. Client Interface User Sessions Risks for systems that depend upon secure communications Application Middleware  Avoiding numerous risks that may diminish the assurances of secrecy through the use of cryptographic techniques. Java OS Platform Client Interface Database  Protecting the integrity of secure data exchange and methods for establishing identity of the participants. Examples CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CWE-337: Predictable Seed in PRNG A PRNG is initialized from a predictable seed, e.g. using process ID or system time. CWE-299: Improper Check for Certificate Revocation The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. CWE-297: Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
  • 25. Database User Sessions Risks in managing the data you use to achieve a business objective Application Middleware  Risks associated with application data being modified by, or exposed to, those with no business need for such access. Java OS Platform Client Interface Database  Increasing the security assurances around application data that is exposed to external storage, either temporarily or permanently. Examples CWE-313: Cleartext Storage in a File or on Disk The application stores sensitive information in cleartext in a file, or on disk that could be read by attackers with access to the file, or with physical or administrator access to the raw disk. CWE-499: Serializable Class Containing Sensitive Data The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. CWE-359: Privacy Violation Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal..
  • 26. System Data User Sessions Consideration of risks handling data associated with the computing platform itself  Risks associated with storing descriptive system history in shared log locations. Application Middleware Java OS Platform Client Interface Database  Risks of inadvertently disclosing through system tools and behavior information that is protected by the application. Examples CWE-532: Information Exposure Through Log Files While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. CWE-208: Information Exposure Through Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. CWE-530: Exposure of Backup File to an Unauthorized Control Sphere A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.
  • 27. Summary – securing Java in the server room  Planning  risk assessment for type of application  define integrity and confidentiality goals  identify applicable policies  assurances about the computing platform  Development  secure engineering practices  mitigation and avoidance of known risks  security testing and review  user and administrator guidance  Operations  configuration management control and auditing  intrusion detection and monitoring  action plan for dealing with security incidents  contingency planning