Java, Secure Development and other IT related Thoughts

  • Security in the build pipeline

    I’ve already blogged about OWASP Dependency Check or its alternative SourceClear in the past. But there is more you can do about security in a typical (Jenkins) build. Although I’m calling this post “Security in the build pipeline” I’m not actually using the Jenkins pipeline as code feature. Security scans are independent of that, so…

  • SRC:CLR revisited

    I was approached by SourceClear a little while ago to have another look at their dependency vulnerability scanner after my first blog post on their service. Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed:…

  • Finding vulnerabilities in third party libraries

    I’ve already blogged about OWASP Dependency Check as a Jenkins plug-in a little while ago. With SRC:CLR, a new web based alternative might be available. To use it, simply register via GitHub login and follow the installation instructions for your operating system. After installation, execute a scan via command line: srcclr scan –url https://github.com/dschadow/JavaSecurity.git The…

  • JavaOne 2015 Retrospective

    Thanks to bridgingIT – the great company I’m working for – I was able to attend my third JavaOne conference in San Francisco this year, including the presentation of two of my own talks: A well attended The Web Application Strikes back on Monday and an almost packed room for Java Web Security Antipatterns on…

  • JavaOne 2015 Session Information

    In case you will attend JavaOne in San Francisco end of October… Session scheduler is just around the corner, my two sessions are scheduled for the following dates and locations: Session Type: Conference Session Session ID: CON2022 Session Title: The Web Application Strikes Back Venue / Room: Hilton – Plaza Room B Date and Time:…

  • Using OWASP Dependency Check as Jenkins plugin

    OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs. One downside is that as default, every build job downloads and regularly updates its own National Vulnerability…

  • Free web application vulnerability scanner for Eclipse

    Contrast released Contrast for Eclipse 1.0 already a little while ago. The Eclipse plug-in works as a runtime security scanner and checks for security vulnerabilities in your web application while executing it in Eclipse. Promised by Contrast on Eclipse Marketplace is an Automated detection of OWASP Top 10 vulnerabilities. This is the first free tool…

  • JavaOne 2014 retrospective

    JavaOne 2014 is over, and it has been a fantastic experience! Better than my first attendance 2012. Most sessions had a higher quality, JavaHub was fantastic (I just love the Nao robot), enjoyed Geek Bike Ride and met a lot of new and interesting Java developers. The only mixed feelings I have are about both…

  • Using security response headers with WordPress

    I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content: Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options DENY Header set X-Content-Type-Options “nosniff” Header set Strict-Transport-Security “max-age=31556926” Header set Cache-Control “no-store, no-cache, must-revalidate” Only one header was…

  • Keep Your X-Frame-Options header a little while longer

    So Mozilla has decided to deprecate the X-Frame-Options header to avoid clickjacking or UI redressing attacks (have a look in the page history, the first version used a much stronger language). This header was never standardized (as the leading X indicates), but is supported in all browsers (yes, in ALL browsers, with the exception of…