Category: Java

  • Security in the build pipeline

    I’ve already blogged about OWASP Dependency Check or its alternative SourceClear in the past. But there is more you can do about security in a typical (Jenkins) build. Although I’m calling this post “Security in the build pipeline” I’m not actually using the Jenkins pipeline as code feature. Security scans are independent of that, so…

  • SRC:CLR revisited

    I was approached by SourceClear a little while ago to have another look at their dependency vulnerability scanner after my first blog post on their service. Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed:…

  • Finding vulnerabilities in third party libraries

    I’ve already blogged about OWASP Dependency Check as a Jenkins plug-in a little while ago. With SRC:CLR, a new web based alternative might be available. To use it, simply register via GitHub login and follow the installation instructions for your operating system. After installation, execute a scan via command line: srcclr scan –url https://github.com/dschadow/JavaSecurity.git The…

  • Using OWASP Dependency Check as Jenkins plugin

    OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs. One downside is that as default, every build job downloads and regularly updates its own National Vulnerability…

  • Free web application vulnerability scanner for Eclipse

    Contrast released Contrast for Eclipse 1.0 already a little while ago. The Eclipse plug-in works as a runtime security scanner and checks for security vulnerabilities in your web application while executing it in Eclipse. Promised by Contrast on Eclipse Marketplace is an Automated detection of OWASP Top 10 vulnerabilities. This is the first free tool…

  • JavaOne 2014 retrospective

    JavaOne 2014 is over, and it has been a fantastic experience! Better than my first attendance 2012. Most sessions had a higher quality, JavaHub was fantastic (I just love the Nao robot), enjoyed Geek Bike Ride and met a lot of new and interesting Java developers. The only mixed feelings I have are about both…

  • Using security response headers with WordPress

    I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content: Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options DENY Header set X-Content-Type-Options “nosniff” Header set Strict-Transport-Security “max-age=31556926” Header set Cache-Control “no-store, no-cache, must-revalidate” Only one header was…

  • Keep Your X-Frame-Options header a little while longer

    So Mozilla has decided to deprecate the X-Frame-Options header to avoid clickjacking or UI redressing attacks (have a look in the page history, the first version used a much stronger language). This header was never standardized (as the leading X indicates), but is supported in all browsers (yes, in ALL browsers, with the exception of…

  • JSF stateless views and CSRF protection

    JavaServer Faces (JSF) – especially since version 2.2 – provides a good Cross-Site Request Forgery (CSRF) protection. To achieve this, every form automatically receives a random hidden token: Nothing more to do for the developer, JSF takes care of comparing the token’s value against the one stored in the server side session. Without the correct…

  • JSF – Referencing resources in stylesheets

    I recently ran into some trouble when trying to show a background image in a JSF page which was included via a stylesheet. When using <h:outputStylesheet library=”css” value=”styles/styles.css” name=”styles.css” /> to include the stylesheet into the JSF page, referencing resources (like images) in the CSS file need a special URL form. The typical form html…