Sr. Developer Advocate for Snyk, Java Champion, and Software Engineer with over a decade of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is a JUG leader for the Virtual JUG and the NLJUG. He also co-leads the DevSecCon community and is a community manager for Foojay. He is a regular international speaker on mostly Java-related conferences like JavaOne, Devnexus, Devoxx, Jfokus, JavaZone and many more. Besides all that, Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.
Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. Next, I will show that deserializing XML, JSON, and YAML can also get you into trouble. And of course, we had the recent Log4j problems with deserialization. Many different problems can occur when deserializing data and in this session, I will use several demos to illustrate various security issues. How do you avoid these issues? I will give you some pointers on how to mitigate these problems in your own applications, this also includes new features in Java 17. At the end of this session, you will have an understanding of the problem space and be able to take action in your code to prevent it.
So you built your Java apps and containerized them, great job! But what does it take to secure a container? Are you sure you're following all the best practices to build container images correctly? What are the threats you are not mitigating in a running container? There’s no better way to understand container security than seeing some live hacking! This session introduces the state of docker security by reviewing vulnerabilities in Docker images and their impact on your Java application. Join me to learn and adopt best practices of running secure containerized Java applications in production.
As developers we often hear the word “security” and assume it means either “authentication” or “encryption” Maybe we assume it’s just someone else’s problem because deep down we don’t really know what we are supposed to do. It’s not really acceptable anymore to dodge the question or point at IT, or DevOps or even DevSecOps as being the ones who have to ‘solve’ security.
In this talk we’re going to look at simple practical steps that you can do now to improve your understanding, increase the safety of your applications and tools and generally reduce your fright levels. Working through the development life cycle and the CI/CD pipeline we’ll visit each step and introduce you to some of the open source tools and services that exist today to help make your life less stressful and keep the bad guys further away.
We’ll help you understand the risks you might already be taking and how and why these tools can reduce your exposure after all - understanding the risk is half the battle - knowing what your’e up against helps to add defences
Security doesn’t have to be scary - take the time to dispel some of the fear.