Security Resources

I have been asked many times for various information on Java and security in general.  How do I find information about Oracle security patches for Java?  How can I receive proactive notification of security patches? What sources of security news and information do you follow?  These questions and so many more have been answered online.

The following are a few more important Java resources related to security you will find helpful.  Click the area of interest or scroll down the page.

Security Links, various sites of interest readers will find helpful

News Feeds, RSS feeds to security news resources

Tools, security tools to exercise your Ninja skills.



Security Links

Java Version History (http://en.wikipedia.org/wiki/Java_version_history)
Brief release history for Oracle's Java implementation.  By no means comprehensive, covers releases, dates, and a few related comments for each are provided.

Oracle Security Resource Center (http://www.oracle.com/technetwork/java/javase/overview/security-2043272.html)
The Java Platform Group provides a single resource landing page, Security Resource Center,  you can use as a launch point to find important Java security resources.  Oracle has a lot of information online so it's a resource for locating the most important information on Java security quickly.  Some of the links on this page can also be discovered navigating the resource center.

Oracle Java Platform Group, Product Management Blog (https://blogs.oracle.com/java-platform-group/)
Oracle Java PM has a blog online.  The blog is a source of official information for all of Java platform PM which also includes news about Java platform security.  The blog is a good resource for content highlighting key platform security features, roadmap, best practices, pitfalls, etc.  We try hard to deliver advice relevant and timely security advice.

Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin (http://www.oracle.com/technetwork/topics/security/alerts-086861.html)
This site provides the official news around Oracle Critical Patch Updates (CPU) which are Oracle's regular security patches.  The site also provides news about Security Alerts which are Oracle's security hot fixes.  CPUs are published a year in advanced to the public.  Security Alerts are issued as necessary.  The page provides an RSS feed for proactive notification.

Oracle Security Assurance Blog (https://blogs.oracle.com/security/)
The Java team works closely with Security Assurance staff to communicate any news necessary beyond standard release notes for security patches and alerts.  Maintaining the security-worthiness of Java is Oracle’s priority, is a good example of type of news communicated on this site.  Often the Security Assurance blog follows with a post after CPU's or Security Alerts.  Many find the combination of technical CPU and Alert Bulletins along with easier to read background information from Security Assurance posts complimentary.

Java Security for Consumer's (http://www.java.com/en/security/)
The security site for consumers is easily located from the java.com landing page by navigating to, Help | Security.  This resource is helpful to the general public but particularly those using Java in web browsers.  Various information is provided to help describe Java technology, actions to improve security posture, tools to remove Java or identify version, etc.

Secure Coding Guidelines for the Java Programming Language, Version 4.0 (http://www.oracle.com/technetwork/java/seccodeguide-139067.html)
These are the coding measures developers should understand and apply as they write Java programs.  Often people want to know what actions they should take to improve security in their programs.  The secure coding guidelines are a good place to start.

Java Applet & Web Start - Code Signing (http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html)
This is not a site but an article providing background behind Java changes encouraging code signing.  Incidentally, the PM blog provides more information around code-signing.  Of course, all this documentation compliments technical documentation provide with each release.

JavaOne 2013 SFO (Securing Java Track)
Due to interest we add a security track to Oracle's flagship Java conference in San Fransisco.  It's always best to attend in person but if budgets are tight the media team posts (slides/video) after the event.  I find even for attendees the media is valuable since I often miss sessions due to several scheduled in the same time slot, discussion with project leaders, partners/customers, etc.  It's a great resource to explore.

CIS Security Benchmarks (http://benchmarks.cisecurity.org/)
CIS provides security benchmarks, also know as hardening guides, are available for various popular system components like operating systems, web browsers, and application servers.  If your not a security wingnut you would be surprised at the number of steps to secure an operating system or application sever.  Miss any step and you have left a door open for advisories to exploit or exfiltrate system data.  Take advantage of all the free resources you have available to you.  Also I noticed UC Berkeley Security provides some links to addition resources (interestingly some backlinks to CIS).

Online Web Application Security Project (OWASP) (https://www.owasp.org/)
OWASP is an open project for all things related to application security.  I have covered OWASP in my blog before so I will not deep dive but if your looking for additional information about securing web applications I recommend checking them out.  OWASP also hosts security conferences which I would really recommend attending.

EFF: Secure Messaging Scorecard (https://www.eff.org/secure-messaging-scorecard)
Which apps and tools actually keep your messages safe?

EFF: Surveillance Self-Defense (https://ssd.eff.org/)
Basic tips to protect yourself from undesirable intrusion.

News Feeds (Twitter\RSS)

Following are some of the news feeds I follow at the moment and always subject to change.  Everyone consumes information differently.  I like to use Twitter to follow my friends online.  I find listening to security pros argue or comment on relevant issues is a great learning tool.  I monitor news via an RSS reader called NetNewsWire on Mac.  The advantages for me is that my Twitter feed is tightly limited to friends.  I don't miss as many details anymore.  Using NetNewsWire I can push through several hundred news articles a day.  Having all my news and friends on Twitter was simply overwhelming me with too much information.  I will share a few security RSS feeds I find helpful.

Twitter Followers (see who I follow on my Twitter account)
@spoofzu

RSS Feeds (not in order of importance)
CERT Advisories
CERT Podcast
US CERT Alerts
US CERT Current Activity
The Darkside
EFF Deeplinks
Full Disclosure
Gmail Blog
Google Apps update alerts
Google Online Security Blog
Google Public Policy Blog
HITBSecNews
Krebs On Security
Oracle Security Alerts
Facebook
Schneier on Security
SecurityWeek
Slashdot
The Switch
theguardian.com (NSA news)
ARS Technical (Risk)
CSO Blogs

Security Tools

White Hat Security (Web Dynamic Analysis w/Support) - https://www.whitehatsec.com/
Free plug for White Hat but they are hands down the best analysis solution in my opinion.  White Hat has probably changed some since I used their service but they are more than scanning tool.  White Hat backs their reports with technical support.  I can't tell you how many arguments I have had with their techs debating over the details of their findings (and I usually loose).  The human touch is unique among vendors sets White Hat apart.

Why No Padlock? (Web Dynamic Analysis) - http://www.whynopadlock.com/
Check your site for mixed-mode content.  Link via Twitter: @xxdesmus

Detectify (Web Dynamic Analysis) - https://detectify.com/
Cloud based tool for add-hoc or scheduled analysis of web pages.  I have not tried it myself but it looks interesting so I thought I would included.

Qualys SSL/TLS (Web Dynamic Analysis) - https://www.ssllabs.com/ssltest/index.html
Test your organizations web server for proper SSL configuration and weaknesses like supported protocols, weak cipher suites, etc.

SSL Client Test (Web Browser Analysis) - https://www.ssllabs.com/ssltest/viewMyClient.html
Similar to the preceding server tests but intended for clients connecting to Qualys test servers like web browsers or web applications.  This tool is unique and provides a great view of your browsers capabilities.

SecTools - Security Tools List - http://sectools.org/
Monster list of security tools.

Norse IPViking Livehttp://map.ipviking.com/
Live threat intelligence map from Norse.  Screen shot on my blog post.

NSA Playsethttp://www.nsaplayset.org/
Reverse engineered tools from the NSA catalog disclosed to the public from NSA whistleblower Edward Snowden.

POODLE Test (SSLv3 Bug) - https://www.poodletest.com/
Some information about POODLE, previous blog.  Instructions to disable SSLv3 in Java JRE and JDK.

Share It!