Skip to content

Instantly share code, notes, and snippets.

@skryvets

skryvets/2024-jconf-security.md

Last active September 27, 2024 01:23
Show Gist options
  • Save skryvets/828a1c38cdc835b22960725206a4ce93 to your computer and use it in GitHub Desktop.
Save skryvets/828a1c38cdc835b22960725206a4ce93 to your computer and use it in GitHub Desktop.
Download ZIP
Notes from the presentation
Raw
2024-jconf-security.md

Wargames: Java Vulnerabilities and Why You Should Care

Speaker: Gerrit Grunwald
Youtube video

Intro

  • Gerrit Grunwald is a developer advocate at Azul.
  • Log4Shell vulnerability incident (Nov 24, 2021) is highlighted as a reminder of how significant and widespread security vulnerabilities can be.

Vulnerability Definitions

  • CWE (Common Weakness Enumeration): A community-developed list of software and hardware weakness types. Helps identify and categorize vulnerabilities.
  • NVD (National Vulnerability Database): The U.S. Government repository of standardized vulnerability management data, using the SCAP protocol for tracking.
  • CVE (Common Vulnerability Exposure): Assigns standardized codes to publicly disclosed cybersecurity vulnerabilities, with details stored in the NVD.
  • CVSS (Common Vulnerability Scoring System): CVSS 2.0 and 3.0 scores help assess the severity of vulnerabilities.
  • KEV (Known Exploited Vulnerability): Refers to vulnerabilities that have been actively exploited.
  • EPSS (Exploit Prediction Scoring System): A tool that helps prioritize work on CVEs based on their likelihood of being exploited.

OpenJDK Vulnerability Group

  • OpenJDK Vulnerability Group: A private forum of trusted members from the OpenJDK community.
    • Reviews and addresses vulnerabilities in the OpenJDK codebase.
    • Collaborates to fix issues and coordinates vulnerability advisories.

Updates: CPU and PSU

  • CPU (Critical Patch Update): Focuses only on vulnerability and critical issue fixes.
  • PSU (Patch Set Update): Includes the CPU fixes, along with non-critical fixes and new features. However, PSUs can introduce new vulnerabilities or break functionality.

JLINK

  • JLINK: Introduced in JDK 9, this tool reduces the size of Java applications by allowing developers to create custom JDKs with only the required modules, minimizing vulnerabilities.

Shift Left: Security in Development

  • Shift Left: Encourages integrating security considerations earlier in the development process (moving security from operations to development).
    • It’s often more expensive and complicated to fix security vulnerabilities later in the process (on the "right") than addressing them early ("left").

Java Release Cycle

  • Old Release Cycle: Long waits between major versions (e.g., JDK 6, JDK 7, JDK 8).
  • New Release Cycle: A faster cadence with a new release every six months.
    • LTS (Long-Term Support) versions are less frequent but receive security updates for an extended period.
    • Fewer new features per release means fewer potential vulnerabilities.

Software Supply Chain

  • Vulnerabilities: Exist at all stages of the software supply chain—from developers accessing resources in central repositories (e.g., Maven Central), to CI/CD build systems, to production.
  • Supply Chain Attacks: Increased by 742% over three years. In 2021, there were over 20,000 unique software bugs and vulnerabilities recorded in the NVD.
  • Open Source Disclaimer: Open-source software is provided "as is," without warranties, and users are responsible for ensuring its security.

Tools for Securing Java Applications

  • Static Code Analysis: Conducts code reviews during the implementation phase to detect vulnerabilities early (e.g., SpotBugs, Find Security Bugs).

  • Vulnerability Scanners: Tools that scan code, repositories, CI/CD pipelines, and production for vulnerabilities (e.g., Snyk, SonarQube).

    • Detect issues such as outdated dependencies and common misconfigurations.
    • Java agents can be used to instrument the JVM and scan for vulnerabilities, though they often come with performance overhead.

  • Find Security Bugs: An extension of SpotBugs that includes over 400 bug patterns and can be integrated into IDEs as a plugin.

  • Snyk: A tool with free and paid versions, supports over nine languages, and integrates with IDEs and CI/CD pipelines for security scanning.

DevSecOps: Security in Every Phase

  • DevOps → DevSecOps: Security is no longer just an operations concern. Security needs to be embedded at every phase of the development lifecycle—planning, coding, building, deploying, and monitoring.

Key Takeaways

  • Automatic Updates: Schedule updates to align with OpenJDK distribution cycles.
  • Use JLINK: Customize the JDK to minimize vulnerabilities by removing unnecessary modules.
  • Vulnerability Scanners: Regularly use tools like Snyk and SonarQube to identify risks in codebases and dependencies.
  • Docker Security: Build minimal Docker images using JLINK to reduce exposure and increase security.

Questions and Final Thoughts

  • There is no tool to identify whether paid security patches for Java versions contain vulnerabilities.
  • Docker Image Scanners exist, but base images bring trust issues. Building minimal images with JLINK is recommended for security.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment