Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Java Applications

Published byDorothy Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Java Applications"— Presentation transcript:

1 Securing Java Applications
Joseph Konieczka BrixBits Sales Engineer

2 Agenda Current State Resources Top 10 Vulnerabilities
BrixBits Security Analyzer Q & A

3 Questions to ask yourself
How often do you review your code for vulnerabilities? When do you normally deploy the quarterly critical patches? How often do you review the patch Risk Matrix? When was the last time auditors evaluated your coding practices?

4 What does a data breach cost?
Cost per stolen record $154 Cost of the breach $3.79 million 23% increase in total cost of since 2013 12% percent increase in per capita cost since 2013 Likelihood of a breach 22% 2015 Cost of Data Breach Study: Global Analysis

5 Java Vulnerabilities timeline
Historically near the top of the list with a slight lull in 2014 2015 – Java back on most wanted list

6 NATO hacked by Russian Pawn Storm hackers
CVE and CVE patches addressed click to play and malware download vulnerabilities

7 OWASP Top 10 2013 Application Security Flaws
Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards

8 OWASP Austin Chapter Top 10 Project
Open Web Application Security Project (OWASP) Austin Chapter Top 10 Project

9 OWASP Java Resources

10 Coding Guidelines Oracle SEI CERT Oracle Coding Standard for Java
Secure Coding Guidelines Java Security Resource Center SEI CERT Oracle Coding Standard for Java

11 Standards National Vulnerability Database Common Vulnerability Scoring System [CVSS] PCI SSC Data Security Standards Overview Requirement 6: Develop and maintain secure systems and applications

12 Books - Slightly dated Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs CERT Oracle Secure Coding Standard for Java Authors of both books: Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

13 Training & Certification
SANS DEV541: Secure Coding in Java/JEE: Developing Defensible Applications GIAC Secure Software Programmer-Java (GSSP-JAVA)

14 About Our Agents Focused on reporting, events, and notifications
Collect critical information needed to ensure that Java applications are running efficiently and securely Architected to be run stand-alone or be easily integrated into existing infrastructure Focused on reporting, events, and notifications Run as an embedded agent within the Java runtime Most can be run on-demand – only when needed

15 Security Analyzer Product Highlights
Capture all Java security exceptions Identify application configuration risks, compliance and changes Track permission use and admin activity Integrates with existing SIEM Runtime Application Self Protection (RASP) Notification of security events Verify the security of 3rd party or outsourced code and applications

16 Agent Overview Agent Description Active/On-Demand Socket Analyzer
Monitor network endpoints for activity, performance, errors Active Security Analyzer Detect and log all security exceptions and extend native Java security End User Experience Monitors front end page load times and measures application server responsiveness and availability Response Analyzer Discover commonly used code paths and stall points that can cause Java application performance issues On-Demand Quality Analyzer Catch all runtime exceptions and report on Java application quality Memory Detective Monitor and alert on JVM memory use and leaks Health Monitor Monitor overall runtime health to easily diagnose performance issues Lock Detective Find and report on application lock contention issues Log Notification Engine Configure notifications for Java application server log errors Agent Manager Manage Java agents

17 Call to action Stay informed
Log vulnerabilities (security defects) in your bug tracking system Consider certification Spread the word Other developers Systems administrators Business teams

18

19

Download ppt "Securing Java Applications"

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Web Application Security

Web Application Security
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Applets & Servlets.

Applets & Servlets.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google