Category Archives: Java/Java EE

OWASP A9 – Using Insight/CLM for CodeRanch

Posted on by
Reply

This week at CodeRanch we have a promotion for Iron Clad Java. Before the promo, I wanted to make sure we didn’t have anything embarrassing going on. We had already dealt with XSSCSRF, Clickjacking and brute force logins. As I looked through the OWASP Top 10, I realized that I had no idea how we were doing on A9 “Using Components with Known Vulnerabilities”.

I saw that Sonatype provides a free Insight scan. I did that and got a nice summary:

clmHigh level summary

The high points of the summary are that:

  1. We use 58 libraries
  2. No high known security vulnerabilities in the libraries we use!
  3. Need to look into the details for the license “issues” since we are non-commerical.

Details

I then clicked on the other tabs and got a sample report. That’s the line where free lives. Since CodeRanch doesn’t have a budget, I asked the vendor for a free credit to see the report and they graciously agreed.

I then learned:

  1. All four of our security “issues” were in commons-httpclient. This library isn’t used anywhere in the codebase or in unit tests. I checked the description of the issue and we don’t  use that part of the library. So clean! I’m impressed that a completely volunteer run site came out clean. Good job to all the mods who update the jars!
  2. The license part showed a variety of licenses. For example dom4j and hibernate-core came up. The licenses would be more useful if we were a company and owned the product/could configure it ourselves.
  3. It was cool seeing the ages of the components we use. And which ones are exact matches vs similar. (I’m sure we didn’t edit hibernate-core!)

This report would be clearly be more useful for a large company. More applications and more people who work on them makes it harder to know what is going on. Still, I’m glad I didn’t have to check 50+ libraries by hand.

Disclaimer: I received free access to the detailed report in exchange for writing this review.

 

jeanne’s oca/ocajp 8 java programmer I experiences

Posted on by
2

Two years ago, I took the OCA/OCAJP 7 Java programmer I exam and wrote about my experiences. I took the exam this time as part of writing the Java OCA 8 Programmer I Study Guide.

What’s new in version 8?

As you can see from the OCA/Java SE 8 Programmer I official exam page, most of the objectives are the same on OCA 7 and OCA 8. There is a mapping by objective title/number on CodeRanch. The new topics were:

  • Running from the command line
  • Compare and contrast the features and components of Java such as: platform independence, object orientation, encapsulation, etc.
  • Wrapper classes
  • Lambdas/predicates
  • Java 8 date/time classes

How did I study?

As I got a 98% on the previous version of the exam, I didn’t really need to study. [edit: I got a 91% of the OCAJP 8 and a perfect score on all the new Java 8 topics]. It was more of review. Plus writing a book on the topic really gets you ready.  I “studied” by doing all of our review and practice exam questions within a week of the test. This also served as a nice sanity check that the questions we wrote prior to taking the beta were decently in sync. (It’s interesting when writing a cert book that you are writing the questions without seeing the exam. This is good as it prevents accidentally mirroring the questions of the moment in the book. As Oracle changes questions over time, it is better to be learning the topics/tricks from a book and improving your skills/test taking ability.)

To learn the Java 8 in the first place, I read two books:

Oracle has some tutorials:

I also wrote a bunch of practice code. And wrote lots of lambda expressions in other languages.

Test Day

  • The exam software claimed that if you pressed the control key, it would cross out an answer so you could remember which ones you eliminated. That’s a good idea. Unfortunately, pressing the control key did absolutely nothing and clicking merely selected an answer I wanted to rule out as correct. I hope they fix this as it is a nice feature.
  • When I took the OCA 7, I had all the time in the world. On this exam, I had enough time to do the questions, but not enough to review them all. The beta gives you just over a minute per question. The real exam gives more time.
  • I went back to my usual exam center. They gave me an “erasable notebook” with 9 pages and an eraser. This meant I could write as much as I wanted. I probably filled about 4 pages as I went. It’s not the same as the paper/pen they used to gie, but is perfectly sufficient.

time warner cable – different person, different problem?

Posted on by
Reply

I haven’t a problem that was maddening when dealing with Time Warner since 2010. It’s that time again.

Background

My cable/DVR box has been slowing getting worsening problems for a while:

  1. freezing periodically for a few seconds
  2. saying there was 0% recorded (a reboot solved that, but it happened about once a month)
  3. turning off and not recording with a reboot. then after the reboot would start recording the middle of a show as if it were a long standing agreement

As I had shows I wanted to watch on the DVR, I chose to live with the first two problems. The third one is core functionality of a DVR so had to deal with it and get a different DVR.

Saturday

I went to the Time Warner store. I returned the Scientific American box and was given a “new” Samsung box. And by “new” I mean a box that someone else returned, they presumably tested and then gave to me. Here’s what happened:

  1. I plugged in the box and it told me to call Time Warner to activate. I haven’t had to do that when trading boxes in the past, but ok. That’s reasonable. They activated the box and had me restart the box. I appeared to have TV.
  2. I went to “Free Primetime On Demand” and got a message to call Time Warner. The rep says she needs to check if it is on my plan. It is FREE primetime on demand. I’m pretty sure it is on everyone’s plan. (This is the station for network tv after it airs. Which I wanted to watch because my DVR wasn’t working last week when I tried to record them.) She eventually gets back to me and agrees I should have it. Guess what the solution was? Reboot the box. I imagine she did something at her end as well.
  3. A little later in the day, I found that cable stations would freeze after a few seconds of play. Network stations (over the air equivalents) played just fine. When I called time warner she “runs a signal test” and tells me the problem is with the box and they can send a tech. If the problem is with the box, I can go to the store and trade boxes again. I don’t need to wait for a tech. When I complain I don’t want to wait for a tech, she tells me it won’t come until Tuesday if they mail a box. I don’t want them to mail the box. I then tried rebooting again.
  4. Provisioning – H/E error – We never got to the bottom of this one although it sounds like an issue with the box. (I also had noCP, but that was when I had the box plugged in wrong.) The tech “ran a signal test.” The tech claimed the provisioning error was because it was a used box and it was downloading updates. At 6:30pm, the rep says she will call me back at 8:30pm to follow up.
  5. She calls at just before 11pm. That’s late to be calling someone. What if I had children who were sleeping? At 11pm, she “ran a signal test” and told me the problem was with the box.

Sunday

Back to the Time Warner store. The rep lives near me and asked if there was construction nearby. There was. He then runs a signal test and tells me there is a problem with the signal. As I spoke to several people who did that the previous day who “ran a signal test”, I was suspicious. He shows me a red screen. However, the cable box was in my hand rather than plugged in at home so still suspicious. He tells me that they need to send a tech to check/fix the signal. Sigh. I give up. Fine. I’ll arrange to be home for a tech to come.

Monday

I had an appointment for between 3 and 4pm. That gave me time to work for half a day in the office and telecommute the rest of the day. I got home around 2pm. I have two messages on my cell phone voicemail and one on my home phone. Two messages say that if I don’t pick up, my appointment will be cancelled. The last says my appointment is confirmed and the tech will call before coming up. Weird.

Since I had time, I decided to go buy lunch. I get back at 2:15pm. At 2:21pm, the tech arrives. That’s not between 3 and 4. What if I wasn’t home? Would I have missed my appointment?

The tech said the problem was the box. (No kidding, this was apparent on Saturday.) He installed a new box. A brand new box.  This time a Cisco one. Which requires over 40 minutes of software downloads before it starts. Which their tech had to be here for. So he got paid to watch videos on my couch for almost an hour. This isn’t his fault. The tech did a great job. He was helpful and polite. Just not necessary. I am perfectly capable of plugging in a box and waiting for an hour.