Category Archives: Security

Here you can find posts about software security, vulnerability research, fuzzing, Java Security Libraries, and common security-related topics.

Tips about configuring security for REST API in Spring

In most cases, REST APIs should be accessed only by authorized parties. Spring framework provides many ways to configure authentication and authorization for an application. Another good thing is that the framework usually provides relatively good default settings. But nevertheless, it may be better to understand what’s going on rather then rely on the defaults.

This post contains a list of things which may be good to pay attention to when you configure or review authentication and authorization settings for a RESTful application based on Spring (boot) framework. However this is not a comprehensive guideline (if such a guideline even exist) which tells how to configure authentication and authorization for an application based on Spring framework. It’s more like a collection of tips and suggestions. Furthermore, any other suggestions and comments are more than welcome.

Continue reading

What’s new security features in Java 11?

Java 11 was released on Sep 25th, 2018. This is the first long-term support release produced under the six-month cadence release model. Besides a huge number of small improvements and bug fixes, the new release contains 17 major enhancements including:

  • several updates in the Hotspot and garbage collectors
  • new HTTP client
  • Unicode 10
  • deprecating Nashorn JavaScript Engine and Pack200 tool
  • removing the Java EE and CORBA Modules
  • local-variable syntax for Lambda parameters
  • launch single-file source-code programs
  • and finally several security features

Although all these features are pretty cool, let’s focus on security in this post.

Continue reading

Fuzzing and code coverage analysis

Code coverage analysis is used in software testing to discover untested pieces of an application. Gathering code coverage data may also be useful for fuzzing. Basically it may help to figure out which parts of a program were not reached during fuzzing. This info can then be used to improve the fuzzer.

Let’s try to gather some code coverage data during fuzzing. As an example, we’re going to test picotls with tlsbunny. Picotls is an implementation of TLS 1.3 protocol written in C, and tlsbunny is a framework for building negative tests and fuzzers for TLS 1.3 implementations. We’re going to use gcov for gathering code coverage data, and lcov for creating a report.

Continue reading

Integrating OWASP Dependency Check in to development process

OWASP Dependency Check is a well known open-source tool which can track dependencies in your project and identify components with known published vulnerabilities. The tool supports multiple languages and platforms such as Java, .NET, Ruby and Python. One of the simplest ways how you can use Dependency Check in your project is just to run it manually. This way has at least one disadvantage: you have to make sure that you run the tool regularly. Fortunately there is a couple of ways how you can automate this process.

But unfortunately sometimes it’s not enough just to automate something. If the tool reports a vulnerability it means someone has to fix it. At least it would be good to evaluate the problem. In a perfect world, all issues are addressed immediately, but in the real world, development teams always have no time for that. Besides integrating Dependency Check to CI/CD, there may be a couple of other steps to get vulnerable dependencies updated.

Continue reading

An overview of secure usage of TLS

Here is a brief overview which describes how TLS can be used for establishing a secure TLS connection. First, we briefly discuss what SSL/TLS protocols are. Next, we’ll talk about secure TLS protocol versions and parameters. Finally, we’ll describe how TLS can be parametrized securely.

Continue reading

Extracting secrets from machine learning systems

For those who are interested in machine learning and/or security, here is a research which discusses extracting secrets from machine learning systems:

https://arxiv.org/pdf/1802.08232.pdf

The authors say deep learning models can memorize secrets which the training data may contain. Then the authors provide a couple of algorithms which were successfully used for extracting sensitive data from black box machine learning systems. The authors also show that unintended memorization is not the result of overfitting. Finally, they discuss several ways to mitigate the problem.

According to Mr. Schneier, there is a lot more research to be done here. So good luck :)

Running Java with AddressSanitizer

OpenJDK and AddressSanitizer are well-known open source projects. OpenJDK sources contain C/C++ code which may be affected by memory corruption issues and memory leaks. Such issues may be detected at runtime with memory checkers like AddressSanitizer. Now it’s going to be easier to use AddressSanitizer for OpenJDK development to check for memory corruptions and leaks.

Continue reading