[2022 javaone] Secure Coding Guidelines for Java SE

Speaker: Chris Ries

For more see the table of contents

Vulnerabilities and Secure Coding

  • “A flaw or weakness … that could be exploited to violated the system’s security policy” RFC 4949
  • Cost – remediation, immediate response (mitigation, detection, incident response, intermediate state while fix), reputation effect

Lifecycle

  • Design – Threat modeling, misuse cases
  • Implementation – , code review, static analysis
  • Integration/test – , dependency checkers, static analysis, runtime testing
  • Deployment/release (ex: missing third party patches) – vulnerability scanning, monitoring (ex: web application firewalls), dependency patching, vulnerability remediation

Resources

Scope of Oracle’s doc

  • General secure coding guidelines
  • Unique/especially relevant to Java
  • Not a comprehensive guide
  • Software security not security software
  • Read once and then use as a reference
  • Each section has a name and each item has a numbered key

Privileges and trust boundaries

  • FUNDAMENTALS-3 – Restrict privileges – app level isolation, separate services, lower level mechanisms (ex: containers, OS level restrictions)
  • FUNDAMENTALS-4 – Establish trust boundaries – identify interactions with untrusted datacode/users, apply security mechanisms, reduce attack surface

Secure third party code

  • FUNDAMENTALS-8 – Secure third-party code
  • Patching – apply patches, watch out for bundled/renamed code (shading), leverage automated tools
  • Best practices – understand model of libraries/frameworks, review config options
  • Tracking – check for updates/support, periodically review security “state of the art”

Denial of Service

  • DOS-4 – Robust errors/exception handling for services
  • Newest one
  • Exception causes – malformed input, logic errors, misconfiguration, environment failures, etc
  • can handle or propagate
  • Apps/libs may want to propagate. Long running systems may need to do more.
  • Define policy for when errors/exceptions reach bottom of call stack – ok to have general catch. Could discard current work, log/cleanup and continue. Rare to have to exit and restart

Injection and inclusion

  • Covers more common vulnerabilities – ex: SQL injection, XML processing
  • Prefer trusted library rather than rolling your own.

Input Validation

  • INPUT-1 – Validate inputs – avoid using untrusted input or validate. Validate early to avoid exposure. Validate immediately prior to use
  • INPUT-4 – Verify API behavior related to input validation – very thru docs/testing. Use created/returned object vs original input. Do additional validation as needed

Deserialization

  • Avoid deserializing untrusted data if at all possible
  • SERIAL-6 – Filter untrusted serial data
  • jdk.serialFilter – can specify class/packages with default deny.
  • Can set resource limits.
  • Alternatively, can setObjectInputFilter() on ObjectInputStream instance

Log4Shell

  • JNDI injection vulnerability
  • Untrusted lookup -> malicious server -> info disclosure, denial of service/remote code execution
  • INJECT-8 – Avoid JNDI lookups using untrusted data or follow measures in guidance
  • FUNDAMENTALS-3 – Restrict privileges. Minimize impact of compromises from zero days
  • FUNDAMENTALS-8 – Secure 3rd party code – Log4J often bundled/renamed, challenge to find vulnerable instances
  • FUNDAMENTALS-4 – Establish trust boundaries – where does untrusted data enter, what APIs does it reach
  • INPUT-1 – Validate inputs – avoid untrusted data or escape/encode/filter. Potentially useful for logged data

My take

This session was during the networking event and the live band was clearly audible. The walls were good as the noise went up greatly when the door opened. Still, I wish sessions weren’t at the same time. Props to the speaker for ignoring the band and the AV guy for managing the speaker

We got to the Oracle Secure Coding Guidelines at minute 15. I thought the whole session would be about this so was surprised there was so much intro. I tried reading the guide last year. Some parts are a tough read so it was nice to see a presentation. And I got to learn about setting filters on ObjectInputStream. The tie to Log4Shell was nice.

[2022 javaone] sequenced collections

Speaker: Stuart Marks

For more see the table of contents

General

  • New JEP; candidate state
  • JEP-431
  • Targeting Java 20

Encounter order

  • HashSet does not have. Order depends on hashcode
  • Encounter order is insertion order ArrayList, ArrayDeque, LinkedHashSet
  • Encounter order is sort order – TreeSet

First and last elements

  • get(0), getFirst(), first()
  • list.get(list.size()-1), getLast(), last()

Iterating and streaming, forward and reverse

  • Iterating – forEach loop – code same for all types to iterate forward
  • Iterable tied to forward iteration
  • Reverse varies – listIterator(), descendingIterator(), Collections.reverse(), descendingSet()
  • Streams use forward iteration as well
  • Streaming in reverse order needs spliterator as adapter to order

Sequenced Collection

  • Proposed
  • SequencedCollection – new subinterface of Collection.
  • Includes reversed(), addFirst(), addLast(), getFirst(), getLast(), removeFirst(), removeLast()
  • Also SequencedSet, SequencedCollections and SequencedSet
  • Includes default methods so doesn’t break existing code
  • New methods for sequenced map views

Covariant overrides of reversed()

  • Reverses
  • View of reversed list, but same list
  • Updating reversed view/original updates the other
  • Returns same interface you pass in

LinkedHashMap

  • Will be able to get reversed views, remove entry from end, etc
  • sequencedKeySet(), sequencedValues()
  • putFirst(), putLast() – unconditionally put mapping at end regardless of whether addition or replacement

My take

The talk started 15 minutes late due to AV issues. And people waited. That says a lot about people looking forward to this talk! The content was quick but understandable. I like that there was a lot of code shown and run in an IDE without spending time typing. Also, NetBeans which doesn’t show up in as many demos. Despite the late start, it didn’t feel rushed. Ended a few minutes late, but not as late as it started so seems like a win!

[2022 javaone] halloween tv – or why it might really be watching you back

Speaker: Steve Poole

For more see the table of contents

  • Doing Java 27 years
  • True story. Happened to multiple people
  • Company in the middle of nowhere
  • Smart tv with an ethernet port
  • Discover new wifi SSID
  • Look everywhere for the router, use scanners and eventually learn it is the TV
  • Asked supplier for instructions. Suppliers didn’t know had wifi either.
  • Asked manufacturers how to configure wikif. Manfufacturer says no wifi in tv
  • Take apart TV and discover ”system on a chip” with the wifi (had everything a computer needs like a raspberry pi)
  • However, wasn’t the system on a chip (SOC) that the manufacturer shipped. Manufacturer may not know because SOC has extra capabilities they turn off. In this case, manufacturer says isn’t theirs
  • Problem: open wiki, unsecured gateway
  • This SOC phones home. Every time turn on TV, get new wifi and sends geolocation info to an IP.
  • Anyone could ”drive by” and access the network. Can compromise other things on intranet

Implications

  • Lots of thigs plugged into typical network – ex: printer/scanner. Could send your data
  • We all know not to plug USB into computer. However, tiny charger can be compromised and send data
  • A lot are espionage tools. More prevalent now.
  • Software applications can be compromised too.
  • Poor supply chain management
  • If buy charging cable (vs data cable), know what it can do. Can’t tell by looking at it.

log4shell

  • Worst vulnerability ever
  • 33% log4j downloads from Maven Central
  • Look at scanning tools and see if can find all instances
  • 742% increase in vulnerabilities since last JavaOne. Actively trying to create log4j situation in open source

My take

Steve is a great speaker so I’m glad I got to see this. It was poorly attended. Possibly becuse of the location (on the exhibit floor) or possibly becuase people though the stage was all vendors. Granted this is a vendor talk too. But it took more than half of the talk to even allude to something that relates to Sonatype and that’s if you know what they do. Only the last two minutes was a direct tie (and even then didn’t mention their products by name)