Java, Secure Development and other IT related Thoughts

  • Remove Checkstyle warnings for certain classes

    Checkstyle warnings for generated or automatically filled classes like Messages.java in Eclipse RCP can be annoying. But even without the .checkstyle file under version control, it is possible to deactivate Checkstyle warnings for selected files. First you have to add the SuppressionFilter module to your Checkstyle configuration file: <module name=”SuppressionFilter”>  <property name=”file” value=”${samedir}suppressions.xml”/> </module> The…

  • Java Security Myths session at DOAG 2013

    I’ll be speaking about Java Security Myths at the DOAG 2013 conference in Nürnberg. My (German) session is on November 21st at 10 a.m.

  • A little bit more security for Java in the browser

    Oracle just released Java 7 update 21, containing once more many security fixes (install it right away). And some changes for applet usage und handling. First of all, the preference dialog does not contain the low security setting any more. Which forces more user interaction when launching unsigned applets. Unsigned applets therefore require at least…

  • It’s a hattrick

    Just received the great news that my session on Java Security Myths has been accepted for the upcoming Java Forum Stuttgart 2013. This is the third time in a row for me to speak at JFS after Git in 2011 and Secure Software Development in 2012. Looking forward to seeing you in Stuttgart on July…

  • Java in the browser is dead

    So its certificates now. Looks like Java applets don‘t care about certificate revocation lists at all. Signed applets gain full access to the system. An invalid certificate should prevent that. Which means a certificate revocation list is kind of important. But no, let’s forget about that check. No need to hack the sandbox this time…

  • OWASP Top 10 2013 release candidate published

    The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki): A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5…

  • JCrypTool Tycho builds finally working

    The last couple of days brought a lot of updates for the Eclipse Tycho build in JCrypTool. And I‘m happy to say that everything is working now (except some minor issues). Since JCrypTool is a rather complex RCP (about 45 core plug-ins/ features, about 75 crypto plug-ins/ features) the setup required quite some time and…

  • Making Java secure again

    The recent total failure of Java security is neither the first one, nor will it be the last one. Java in the browser (in the form of Java applets) is not secure and will never be secure. Oracle can provide all the security patches they want, the next major security breach is just around the…

  • Java 7 update 11 available, addressing the latest major security flaw

    So, Oracle released Java 7 update 11 today, addressing the latest major security flaw with Java applets. Guess we are safe now for about a week. Of course I strongly recommend installing the new release as quickly as possible. But keep Java disabled in your browser! In case you do need a Java applet I’ll…

  • Solved the Eclipse RCP export failure on OS X

    After a lot of trial and error, I’ve solved the Eclipse RCP export failure on OS X. The solution was to force Eclipse to use Java 1.6 and not the default 1.7. Simply add the following line to your eclipse.ini: -vm /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/java