QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components, CVE-2017-5929 Detail.
October 9, 2017 voting begins for OWASP members to elect four new OWASP Board candidates. I am running for the board this cycle and can use your support!
Java Chief Architect Mark Reinhold posts…
Create a secure, private forum in which trusted members of the OpenJDK Community can receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes. Ensure that information flows efficiently, in both directions, between this forum and Oracle’s internal security teams. Encourage the forum to be used for other OpenJDK security-related discussions as needed.
Continue reading, Proposal: OpenJDK Vulnerability Group
You understand the value of security penetration testing for your software applications and it’s been successful identifying important vulnerabilities. You do the obvious thing, order more pentesting but in successive tests the arrival rate of new application vulnerabilities soon exceeds your technical teams ability to remediate them. Management and technical teams security vulnerability epiphany soon turns to malaise as security becomes increasingly marginalized in favor of progressing against more tangible objectives – customer facing software features. What happened? Could this have played out differently?