Securing and Exploiting Java Applications

OpenJDK 17 makes the interesting decision that deprecating a security feature (the SecurityManager) can actually improve security of the platform and running applications, setting out a path to remove a feature that hasn’t been used and hasn’t blocked many exploits.

By understanding how modern Java applications are attacked, teams can better position the right defense in the right location. This talk will analyze exploits against several Java applications that were used in the wild and lay out the proper security defense that can defend applications from being breached, not only to mitigate these threats but also to address time spent on internal security audits.

We will lay out where different defense and monitoring capabilities have gone, including new features such as serialization filters and OpenJDK Flight Recorder.

Speakers

Erik Costlow is a Java-focused software security professional, handling developer relations for Contrast Security, as well as news reporting on InfoQ and the FooJay podcast. Contrast weaves sensors into applications, giving them the ability to detect security threats based on how the application uses its data. Erik was the principal product manager in Oracle focused on security of Java 8, joining at the height of hacks and departing after a two-year absence of zero-day vulnerabilities. During that time, he learned the details of Java at both a corporate/commercial and community level. He has also published several developer courses through Packt Publishing on data analysis, statistics, and cryptography.