Remove Checkstyle warnings for certain classes

Checkstyle warnings for generated or automatically filled classes like in Eclipse RCP can be annoying. But even without the .checkstyle file under version control, it is possible to deactivate Checkstyle warnings for selected files. First you have to add the SuppressionFilter module to your Checkstyle configuration file: <module name=”SuppressionFilter”>  <property name=”file” value=”${samedir}suppressions.xml”/> </module> The […]

A little bit more security for Java in the browser

Oracle just released Java 7 update 21, containing once more many security fixes (install it right away). And some changes for applet usage und handling. First of all, the preference dialog does not contain the low security setting any more. Which forces more user interaction when launching unsigned applets. Unsigned applets therefore require at least […]

It’s a hattrick

Just received the great news that my session on Java Security Myths has been accepted for the upcoming Java Forum Stuttgart 2013. This is the third time in a row for me to speak at JFS after Git in 2011 and Secure Software Development in 2012. Looking forward to seeing you in Stuttgart on July […]

Java in the browser is dead

So its certificates now. Looks like Java applets don‘t care about certificate revocation lists at all. Signed applets gain full access to the system. An invalid certificate should prevent that. Which means a certificate revocation list is kind of important. But no, let’s forget about that check. No need to hack the sandbox this time […]

OWASP Top 10 2013 release candidate published

The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki): A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 […]

JCrypTool Tycho builds finally working

The last couple of days brought a lot of updates for the Eclipse Tycho build in JCrypTool. And I‘m happy to say that everything is working now (except some minor issues). Since JCrypTool is a rather complex RCP (about 45 core plug-ins/ features, about 75 crypto plug-ins/ features) the setup required quite some time and […]

Making Java secure again

The recent total failure of Java security is neither the first one, nor will it be the last one. Java in the browser (in the form of Java applets) is not secure and will never be secure. Oracle can provide all the security patches they want, the next major security breach is just around the […]