Author Archives: Jeanne Boyarsky

[2022 javaone] fundamentals of diversity and inclusion for technologists

Posted on by
Reply

Speaker: Reza Rahman

For more see the table of contents

General

  • not a lot of social captical on this topic
  • Word cloud type slide with quotes about thngs people say to be dismisive. ex: ”I didn’t ean it that way”, ”Your English is pretty good”, ”You are overreacting”, ”Who are you to criticize us”
  • 67% of tech companies are made up of less than 5% Black employees (includes Nigerians, not just African Americans). Asians exceed population % in tech, but not in leadership
  • Women hold 25% computing roles. 47% of workforce is women. More eadership obs than tech jobs
  • People put blinders on/tune out the bad stuff

Why care

  • Diverse perspectives – solving global scae problems (unless niche), oxymeter and skin color, underwriting stats
  • Broadening reach – want people to want to use your product, spectrum of life experiences
  • Untapped potential – most important when tight labor force, educate more people
  • Greater prosperity – avoid zero sum mindset
  • Ethical imperative – perception about divisiveness in US

Diversity

  • 80s mindset – African Americans and women
  • Encompoasses range of identiies and visibile/invisible differenes – race, etnicity, faith, socioeconomics, etc
  • Helps disarm conversation away from ”us vs them”

Inclusion

  • Intentionally creating an enviornment where diversity prospers and common good prevails
  • Fair, respectful, supportive and empowering
  • Diversity is a fact, inclusion is an act
  • How people feel at work
  • Respected, listed to, accepted, valued, included, welcomed, safe

Discrimination

  • Predjudicial treatment
  • Recognition this is wron
  • Often intentional/conisistent
  • Likely legal protected identies such as race/gender

Unconscious bias

  • Stereotypes/prejudices/preferences
  • Often intententional
  • Advantage one set of people o the detriment of others
  • Hardly anyone lacks unconscious bias – need to recognize this (eg: negative association)

Anti defamation league – pyramid of hate

  • Acts of bias
  • Prejudice
  • Discrimination
  • Bias-motivated violence
  • Genocide

Equality

  • Theoretical construct
  • Being truly equal – particularly with regards to resources and oppotunities
  • Doesn’t happen because of privileges (unearned advantages)

Equity

  • State of fairness
  • Intentional remedy impacts of inequality and injustice
  • Cartoon with slanted apple tree (inequality = one side falls, equality = same later so on side reach, equity = taller ladder, justice = fix tree so no longer slanted)

Covering

  • Deliberately downplaying part of identity to attempt to reduce effects of marginalization

Allyship

  • Informed, intentional and consistent practice to understand, empathize an suppor tothers with the objective of grater fairness, diversity and inclusion
  • Continuum – apety, awareness, active advocate
  • Privately check on someone have questionable interaction
  • Don’t assume someone wants help
  • And so much more – see deck

My take

While it was a small audience (13 people), I’m glad this talk happened. Techies are unlikely to go to a whole event on his topic so one session representated a good opportunity. Reza noted that for some parts, the self selecting audience didn’t need to hear it. While this is true, you never know which part stews in your head and becomes useful later.

[2022 javaone] Secure Coding Guidelines for Java SE

Posted on by
Reply

Speaker: Chris Ries

For more see the table of contents

Vulnerabilities and Secure Coding

  • “A flaw or weakness … that could be exploited to violated the system’s security policy” RFC 4949
  • Cost – remediation, immediate response (mitigation, detection, incident response, intermediate state while fix), reputation effect

Lifecycle

  • Design – Threat modeling, misuse cases
  • Implementation – , code review, static analysis
  • Integration/test – , dependency checkers, static analysis, runtime testing
  • Deployment/release (ex: missing third party patches) – vulnerability scanning, monitoring (ex: web application firewalls), dependency patching, vulnerability remediation

Resources

Scope of Oracle’s doc

  • General secure coding guidelines
  • Unique/especially relevant to Java
  • Not a comprehensive guide
  • Software security not security software
  • Read once and then use as a reference
  • Each section has a name and each item has a numbered key

Privileges and trust boundaries

  • FUNDAMENTALS-3 – Restrict privileges – app level isolation, separate services, lower level mechanisms (ex: containers, OS level restrictions)
  • FUNDAMENTALS-4 – Establish trust boundaries – identify interactions with untrusted datacode/users, apply security mechanisms, reduce attack surface

Secure third party code

  • FUNDAMENTALS-8 – Secure third-party code
  • Patching – apply patches, watch out for bundled/renamed code (shading), leverage automated tools
  • Best practices – understand model of libraries/frameworks, review config options
  • Tracking – check for updates/support, periodically review security “state of the art”

Denial of Service

  • DOS-4 – Robust errors/exception handling for services
  • Newest one
  • Exception causes – malformed input, logic errors, misconfiguration, environment failures, etc
  • can handle or propagate
  • Apps/libs may want to propagate. Long running systems may need to do more.
  • Define policy for when errors/exceptions reach bottom of call stack – ok to have general catch. Could discard current work, log/cleanup and continue. Rare to have to exit and restart

Injection and inclusion

  • Covers more common vulnerabilities – ex: SQL injection, XML processing
  • Prefer trusted library rather than rolling your own.

Input Validation

  • INPUT-1 – Validate inputs – avoid using untrusted input or validate. Validate early to avoid exposure. Validate immediately prior to use
  • INPUT-4 – Verify API behavior related to input validation – very thru docs/testing. Use created/returned object vs original input. Do additional validation as needed

Deserialization

  • Avoid deserializing untrusted data if at all possible
  • SERIAL-6 – Filter untrusted serial data
  • jdk.serialFilter – can specify class/packages with default deny.
  • Can set resource limits.
  • Alternatively, can setObjectInputFilter() on ObjectInputStream instance

Log4Shell

  • JNDI injection vulnerability
  • Untrusted lookup -> malicious server -> info disclosure, denial of service/remote code execution
  • INJECT-8 – Avoid JNDI lookups using untrusted data or follow measures in guidance
  • FUNDAMENTALS-3 – Restrict privileges. Minimize impact of compromises from zero days
  • FUNDAMENTALS-8 – Secure 3rd party code – Log4J often bundled/renamed, challenge to find vulnerable instances
  • FUNDAMENTALS-4 – Establish trust boundaries – where does untrusted data enter, what APIs does it reach
  • INPUT-1 – Validate inputs – avoid untrusted data or escape/encode/filter. Potentially useful for logged data

My take

This session was during the networking event and the live band was clearly audible. The walls were good as the noise went up greatly when the door opened. Still, I wish sessions weren’t at the same time. Props to the speaker for ignoring the band and the AV guy for managing the speaker

We got to the Oracle Secure Coding Guidelines at minute 15. I thought the whole session would be about this so was surprised there was so much intro. I tried reading the guide last year. Some parts are a tough read so it was nice to see a presentation. And I got to learn about setting filters on ObjectInputStream. The tie to Log4Shell was nice.

[2022 javaone] sequenced collections

Posted on by
Reply

Speaker: Stuart Marks

For more see the table of contents

General

  • New JEP; candidate state
  • JEP-431
  • Targeting Java 20

Encounter order

  • HashSet does not have. Order depends on hashcode
  • Encounter order is insertion order ArrayList, ArrayDeque, LinkedHashSet
  • Encounter order is sort order – TreeSet

First and last elements

  • get(0), getFirst(), first()
  • list.get(list.size()-1), getLast(), last()

Iterating and streaming, forward and reverse

  • Iterating – forEach loop – code same for all types to iterate forward
  • Iterable tied to forward iteration
  • Reverse varies – listIterator(), descendingIterator(), Collections.reverse(), descendingSet()
  • Streams use forward iteration as well
  • Streaming in reverse order needs spliterator as adapter to order

Sequenced Collection

  • Proposed
  • SequencedCollection – new subinterface of Collection.
  • Includes reversed(), addFirst(), addLast(), getFirst(), getLast(), removeFirst(), removeLast()
  • Also SequencedSet, SequencedCollections and SequencedSet
  • Includes default methods so doesn’t break existing code
  • New methods for sequenced map views

Covariant overrides of reversed()

  • Reverses
  • View of reversed list, but same list
  • Updating reversed view/original updates the other
  • Returns same interface you pass in

LinkedHashMap

  • Will be able to get reversed views, remove entry from end, etc
  • sequencedKeySet(), sequencedValues()
  • putFirst(), putLast() – unconditionally put mapping at end regardless of whether addition or replacement

My take

The talk started 15 minutes late due to AV issues. And people waited. That says a lot about people looking forward to this talk! The content was quick but understandable. I like that there was a lot of code shown and run in an IDE without spending time typing. Also, NetBeans which doesn’t show up in as many demos. Despite the late start, it didn’t feel rushed. Ended a few minutes late, but not as late as it started so seems like a win!