AppSec Resources

I have been asked many times for various information on Java and security in general.  How do I find information about Oracle security patches for Java?  How can I receive proactive notification of security patches? What sources of security news and information do you follow?  These questions and so many more have been answered online.

The following are a few more important Java resources related to security you will find helpful.  Click the area of interest or scroll down the page.

Security Links, various sites of interest readers will find helpful

News Feeds, RSS feeds to security news resources

Tools, security tools to exercise your Ninja skills.

Security Links

Mozilla Observatory (
TLS/SSL scanning tool that letter grades your website.  Similar to bellwether in the space, Qualys Labs tool.  More is better.

Let's Encrypt (
Certificate Authority, digital certificate for your web server.  Certificates free and all certificates CT logged.

Mozilla SSL Configuration Generator ( Unsure about the best security hardening settings for your web server?  Let Mozilla create a secure configuration for you.

CMU CERT Secure Coding Standards (
Security coding awesomeness for Java. (
600+ research papers and other resources on passwords and authentication.

Google Certificate Log Validator
Google Certificate Transparency log viewer, accountability tool designed to identify CA's signing certificates for unauthorized domains.  For example, creating a rogue Google certificate to capture your web email.

Wikipedia Security Portal (
Area of Wikipedia dedicated to security topics.

Java Version History (
Brief release history for Oracle's Java implementation.  By no means comprehensive, covers releases, dates, and a few related comments for each are provided.

Launch4j (
Cross-platform Java executable wrapper tool.

Oracle Security Resource Center (
The Java Platform Group provides a single resource landing page, Security Resource Center,  you can use as a launch point to find important Java security resources.  Oracle has a lot of information online so it's a resource for locating the most important information on Java security quickly.  Some of the links on this page can also be discovered navigating the resource center.

Oracle Java Platform Group, Product Management Blog (
Oracle Java PM has a blog online.  The blog is a source of official information for all of Java platform PM which also includes news about Java platform security.  The blog is a good resource for content highlighting key platform security features, roadmap, best practices, pitfalls, etc.  We try hard to deliver advice relevant and timely security advice.

Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin (
This site provides the official news around Oracle Critical Patch Updates (CPU) which are Oracle's regular security patches.  The site also provides news about Security Alerts which are Oracle's security hot fixes.  CPUs are published a year in advanced to the public.  Security Alerts are issued as necessary.  The page provides an RSS feed for proactive notification.

Oracle Security Assurance Blog (
The Java team works closely with Security Assurance staff to communicate any news necessary beyond standard release notes for security patches and alerts.  Maintaining the security-worthiness of Java is Oracle’s priority, is a good example of type of news communicated on this site.  Often the Security Assurance blog follows with a post after CPU's or Security Alerts.  Many find the combination of technical CPU and Alert Bulletins along with easier to read background information from Security Assurance posts complimentary.

Java Security for Consumer's (
The security site for consumers is easily located from the landing page by navigating to, Help | Security.  This resource is helpful to the general public but particularly those using Java in web browsers.  Various information is provided to help describe Java technology, actions to improve security posture, tools to remove Java or identify version, etc.

Secure Coding Guidelines for the Java Programming Language, Version 4.0 (
These are the coding measures developers should understand and apply as they write Java programs.  Often people want to know what actions they should take to improve security in their programs.  The secure coding guidelines are a good place to start.

Java Applet & Web Start - Code Signing (
This is not a site but an article providing background behind Java changes encouraging code signing.  Incidentally, the PM blog provides more information around code-signing.  Of course, all this documentation compliments technical documentation provide with each release.

SSL\TLS Libraries C\C++ (
Lighter weight support than leading open source contender, OpenSSL.  WolfSSL claims, "20 times smaller [code size] than OpenSSL".

JavaOne 2013 SFO (Securing Java Track)
Due to interest we add a security track to Oracle's flagship Java conference in San Fransisco.  It's always best to attend in person but if budgets are tight the media team posts (slides/video) after the event.  I find even for attendees the media is valuable since I often miss sessions due to several scheduled in the same time slot, discussion with project leaders, partners/customers, etc.  It's a great resource to explore.

CIS Security Benchmarks (
CIS provides security benchmarks, also know as hardening guides, are available for various popular system components like operating systems, web browsers, and application servers.  If your not a security wingnut you would be surprised at the number of steps to secure an operating system or application sever.  Miss any step and you have left a door open for advisories to exploit or exfiltrate system data.  Take advantage of all the free resources you have available to you.  Also I noticed UC Berkeley Security provides some links to addition resources (interestingly some backlinks to CIS).

Online Web Application Security Project (OWASP) (
OWASP is an open project for all things related to application security.  I have covered OWASP in my blog before so I will not deep dive but if your looking for additional information about securing web applications I recommend checking them out.  OWASP also hosts security conferences which I would really recommend attending.

EFF: Secure Messaging Scorecard (
Which apps and tools actually keep your messages safe?

EFF: Surveillance Self-Defense (
Basic tips to protect yourself from undesirable intrusion.

Security Advisor Alliance (
Association of CISO's

CERT Secure Coding Standards for Java (
CERT Java secure coding standards.

10 'Must Go To' Cybersecurity Conferences... (
A good mix of defensive and offensive type security conferences.

DEFCON Forums (
Forums for DEFCON security conference.

DEFCON Groups (
Collaborate with other likeminded hackers under the auspices of DEFCON groups.

Open Security Architecture (
Application security architecture resources.

Aleksey Shipilëv: One Stop Page (
Lots of interesting things about the niche behaviors around Java.

News Feeds (Twitter\RSS)

Following are some of the news feeds I follow at the moment and always subject to change.  Everyone consumes information differently.  I like to use Twitter to follow my friends online.  I find listening to security pros argue or comment on relevant issues is a great learning tool.  I monitor news via an RSS reader called NetNewsWire on Mac.  The advantages for me is that my Twitter feed is tightly limited to friends.  I don't miss as many details anymore.  Using NetNewsWire I can push through several hundred news articles a day.  Having all my news and friends on Twitter was simply overwhelming me with too much information.  I will share a few security RSS feeds I find helpful.

Twitter Followers (see who I follow on my Twitter account)

RSS Feeds (not in order of importance)
CERT Advisories
CERT Podcast
US CERT Alerts
US CERT Current Activity
The Darkside
EFF Deeplinks
Full Disclosure
Gmail Blog
Google Apps update alerts
Google Online Security Blog
Google Public Policy Blog
Krebs On Security
Oracle Security Alerts
Schneier on Security
The Switch (NSA news)
ARS Technical (Risk)
CSO Blogs

Security Tools

White Hat Security (Web Dynamic Analysis w/Support) -
Free plug for White Hat but they are hands down the best analysis solution in my opinion.  White Hat has probably changed some since I used their service but they are more than scanning tool.  White Hat backs their reports with technical support.  I can't tell you how many arguments I have had with their techs debating over the details of their findings (and I usually loose).  The human touch is unique among vendors sets White Hat apart.

Why No Padlock? (Web Dynamic Analysis) -
Check your site for mixed-mode content.  Link via Twitter: @xxdesmus

CheckShortURL (Expand compressed URLs) -
Use this tool to expand URLs before you click on them.

Detectify (Web Dynamic Analysis) -
Cloud based tool for add-hoc or scheduled analysis of web pages.  I have not tried it myself but it looks interesting so I thought I would included.

Qualys SSL/TLS (Web Dynamic Analysis) -
Test your organizations web server for proper SSL configuration and weaknesses like supported protocols, weak cipher suites, etc.

SSL Client Test (Web Browser Analysis) -
Similar to the preceding server tests but intended for clients connecting to Qualys test servers like web browsers or web applications.  This tool is unique and provides a great view of your browsers capabilities.

SecTools - Security Tools List -
Monster list of security tools.

NSA Playset
Reverse engineered tools from the NSA catalog disclosed to the public from NSA whistleblower Edward Snowden.

POODLE Test (SSLv3 Bug) -
Some information about POODLE, previous blog.  Instructions to disable SSLv3 in Java JRE and JDK.

Keybase (Personal Security & Identity) -
Tool to verify social media account ownership and add-hoc (cut\paste) encryption.

CoderPad (Online collaborative coding) -
Paste code into your browser and compile online.

Google Cloud Security Tool (Web Dynamic Analysis) -
Google DAST tool to scan your web site.  Find XSS and other nasty bugs.  While not comprehensive a key feature is low noise levels or rate of false positives.

Superfish Test (Web Dynamic Analysis)  -
DAST tool to test for Superfish HTTPS MITM. (QR Codes) -
Generate custom QR codes.

Fido: Automated Incident Response (Netflix Incident Response Framework) -
Automated incident response management.

EICAR (Security testing) -
Dummy payloads matching virus signatures for safely testing enterprise security controls.

KNOCKD (Security testing) -
Port knocker server.  Establish a ordered list of ports or the knocking pattern.  Execute scripts upon detection of correct "secret" knock sequence.

Certificate Transparency (Verification) -
Verify CA's are not generating unauthorized certificates.  Tool to dump certification information from CT logs.  Learn more about CT.

webXray (Personal Privacy) -
Track 3rd party connections in web pages (e.g., advertisers, analytics, etc). (DAST TLS/SSL) -
TLS/SSL DAST script tool.

Share It!