What we're about
Upcoming events (1)
We are happy and proud to announce our first IN PERSON meetup of 2023 with three awesome speakers. The meetup will be hosted by Blue4IT.
Please join us and RSVP!
Because of the limited number of seats, please keep your RSVP up-to-date, so we can welcome someone else of you can't make it.
17:30 Doors open
18:00 Food & Drinks
19:00 Engineer your Engineering Tools and Boost your Productivity! by Guus de Wit and Martin Kanters
20:15 Deserialization exploits in Java: why sould I care? by Brian Vermeer
1 JetBrains license
1 print copy of The Definitive Guide to Security in Jakarte EE
Engineer your Engineering Tools and Boost your Productivty!
As developers, we like to code. However, we often have to context-switch between many tools (Git servers, CI/CD systems, issue trackers, etc.) causing us to lose focus. To circumvent this, we create many shortcuts, aliases, scripts and use third-party plugins. Unfortunately, these only "work on your machine" and everybody reinvents the wheel.
At Rabobank, we wanted to take this to the next level, and consider our development tooling as production software. We improved developer happiness and efficiency by making an application that integrates with these tools using Kotlin, Quarkus, PicoCLI and GraalVM. In this talk, we will show you how we use these technologies and how we successfully pitched our side project to business and upgraded it into an actual product.
Deserialization exploits in Java: why should I care?
Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. Next, I will show that deserializing XML, JSON, and YAML can also get you into trouble. And of course, we had the recent Log4j problems with deserialization. Many different problems can occur when deserializing data and in this session, I will use several demos to illustrate various security issues. How do you avoid these issues? I will give you some pointers on how to mitigate these problems in your own applications, this also includes new features in Java 17. At the end of this session, you will have an understanding of the problem space and be able to take action in your code to prevent it.
Guus de Wit
Guus is a Java/Kotlin developer at Blue4IT. With a passion for puzzles and a background in science, he strives for elegant solutions to complex problems. In his spare time, he likes to over-optimize the simple tasks of today, to hopefully live a lazier life tomorrow.
Martin is a Java/Kotlin Developer at JPoint and Apache Maven committer. Working together in teams on complex applications keeps him going to work every morning with a big smile. He gets a lot of energy from sharing the knowledge he learns during the job. After work hours he can often be found playing the piano, either at home or at jam sessions.
Brian Vermeer is a Staff Developer Advocate for Snyk, Java Champion, and Software Engineer with over a decade of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is a JUG leader for the Virtual JUG and the NLJUG. He also co-leads the DevSecCon community and is a community manager for Foojay. He is a regular international speaker on mostly Java-related conferences like JavaOne, Devnexus, Devoxx, Jfokus, JavaZone and many more. Besides all that, Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.