Did you know Oracle’s JavaOne Java developers conference has a full security track? In “JavaOne Track Highlights: Java and Security” Yolande Poirier and David Lopez describe some of the track sessions and various links. Disclosure, I lead the security track. If you see any links on the track feel free to share and I will post. See you at JavaOne.
About a year ago I helped some friends on a security book project, Iron-Clad Java: Building Security Web Applications (Amazon). As we were winding down the project we received some early printed copies of the book from the publisher. I remembered the feeling of seeing the project in printed form. However, when I began flipping through the pages I noticed the Foreword was missing. A missing foreword is not a big deal. Still security is a really tough job for many of us. I thought the foreword helped to call out some of the industry challenges while still keeping an encouraging message. Following is the missing book foreword and our blooper.
The greatest challenge in product security today is the fact that security quality is difficult for consumers to evaluate. A product with little security design consideration and a weak security posture discloses few, if any, outward signs of being insecure. Software security, like performance and scalability, cannot be effectively evaluated visually and requires specialized tools and training. In a vacuum, consumers often mistakenly assume strong positive product safety unless news surfaces to shake that confidence. As a result, with ever increasing pressure on business leaders to be more competitive, deliver more value to customers, security is frequently marginalized in favor of delivering more direct features with tangible business value. There’s little incentive to pursue security excellence when consumers assume it already exists. All too often, businesses roll the dice and short product security, explaining away incidents when they occur with excuses like: “hackers are becoming more sophisticated”, “security is too difficult a problem to solve”, or “everyone has bugs”. As the number and severity of security incidents increases, the public’s patience for excuses grows weary. Consumers are demanding more secure information systems and more accountability from business leaders and governments. Product security claims are no longer accepted at face value. As we transition from an era of plausible deniability to accountability, leaders are increasingly motivated to deepen their security investments. In the end, strong security is a choice, and it always has been. Security excellence is no accident. It’s purposeful, requires dedication, and role appropriate education is essential to success.
In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers. A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications. This is not a book about security theories, it’s the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print.
One of the best things I enjoy about the field of security is that it’s small and still possible to reach out and touch your heroes. Jim and August are my heroes and it’s an honor and privilege to be their technical editor on this project. The hallmarks of true experts and expert teams are: confident but soft-spoken, good listeners, secure in their abilities and not afraid to explore the ideas of others. Teams imbuing such qualities produce results like no other and working in this environment is educational for everyone. Working on this project with Jim and August was a tremendous privilege. It’s my sincerest hope you enjoy this book as much as we enjoyed bringing it to you.
The exploit pack is written in Java. Abyss Walker reminiscent of Metasploit in it’s extensibility. Unlike some popular exploit packs Abyss Walker is full-featured and includes discovery tools, reconnaissance tools, and RAT’s. Due to the rich features it will take you some time to learn but to help the author(s) provide links to videos and you can Google your own, of course. Some of these exploit packs are difficult to learn, great pentesters don’t necessarily make the best UX designers, still the UI looks comparatively well thought out. Looking forward to exploring the videos and this software further.
Note the author is presenting the exploit pack at Blackhat USA 2015, ARSENALT | Exploit Pack.
JavaOne is a software developers conference held each fall in San Francisco California. The conference is held at the same time as Oracle’s larger product conference – OpenWorld. Together both events bring in about 110,000 attendees to the city. Many streets near the Moscone Center and O’Farrell are only open to foot traffic and serve snacks and beverages to attendees. There’s something decadent about drinking a hot latte in a recliner on a blocked off street in the middle of San Francisco.
I thought a post was in order since many are surprised to learn Oracle’s JavaOne conference has a security track. This year is the third year for the security track at JavaOne. I can’t share too much about this years track just yet but I can share about last years track. In previous years, the security track included around 40 sessions held over the course of the conference week. Content covers various areas like open source projects, technologies, platform security, labs, and more. Many industry verticals are covered like finance, insurance, banking, government, academia, as well as independent researchers. A key differentiator for JavaOne is that that conference sessions are defensive in nature. For example, we focus on defensive techniques developers use to strengthen software applications as opposed to offensive techniques to exploit software weaknesses.
The security track is not the focus of attention for JavaOne so we don’t have a keynote like other tracks but we provide an opening presentation that launches the track. Following is the presentation I provided last year to give you some background.
See you at JavaOne!
Got something to share about Java security? JavaOne 2015 San Francisco call for papers is LIVE. Send in your proposals for consideration to the Java security track. Submit Now!