Skip to main content

JavaOne Day 1: don´t be Pwned!

Posted by jjviana on October 4, 2011 at 12:14 AM PDT

There is one talk I would like to comment on today: "Don't Be Pwned: A Very Short Course on Secure Programming in Java".

This talk, presented by Robert Seacord  and Dean Sutherland from SEI/CERT, was the scariest Java talk I have ever been to.

Do you believe the software you write is secure enough?  Believing it or not, I suggest you take some time to read through the CERT Oracle Secure Coding Standard for Java. It is a guide prepared by the guys at CERT that describe the main concerns you should have when writing secure code in Java. Or to put it in another way, it describes the many ways you are probably writing insecure code right now.

I never imagined how dangerous class inheritance can be in bypassing security managers, or how simple it is to crash most JVM versions by feeding them specially crafted floating-point numbers. Even if you don´t memorize all the guide rules, reading it is definitely an eye opener.

This will be required literature for all my team members and students from now on.