Secure programming in Java
The root of application security issues facing most organizations today is that their developers are not trained in application security best practices. In addition to this, even developers that do have an awareness of application security typically lag behind in practical knowledge of how to remediate flaws and vulnerabilities. A 2017 study conducted by DevOps.com found that 76% of developers indicated security and secure development education needed for today’s world of coding is missing from formal development curriculums. In fact, developer respondents to 2014 survey by The Denim Group answered questions about secure coding practices correctly only 42% of the time, compared to 59% for appsec awareness. The same study found that appsec training was strongly correlated with improved developer performance, as the pass rate for developers who consumed more than three days of appsec training more than doubled.
In this workshop we’ll be diving into definition, detection and remediation of injection type flaws, specifically unsafe reflection and deserialization. We’ll discuss how deserialization caused the Equifax breach, then we will exploit and fix our own unsafe reflection and deserialization flaws on a cloud hosted virtual machine.Get ticket