Dominik Schadow

Java, Secure Development and other IT related Thoughts

  • Get ready for the Java Forum Stuttgart 2012

    July 5th 2012 is coming closer, and with that the Java Forum Stuttgart as well as my (German) session Sichere Software vom Java-Entwickler. This session will give you some ideas and recommendations for all of the problems and risks mentioned in the current OWASP Top 10. Since 10 is quite a number for 45 minutes,…

  • Confident Data Transfers with Apache Camel Security at JavaOne 2012

    Fantastic news today (with a little delay due to various reasons): My session on Confident Data Transfers with Apache Camel Security at JavaOne 2012 was accepted! So hurry up, sign up for it! It‘ll be all about securing Camel routes with XML-Security or normal cryptography and how to use Apache Shiro or Spring Security components…

  • JCrypTool release candidate 6 takes a little while longer…

    As you may have already noticed, JCrypTool release candidate 6 (RC6) is already delayed. While there are still some (minor) issues we are working on, both in core and crypto, the main reason for the delay is this bug in FlexiProvider. This issue causes endless loops in different FlexiProvider operations and makes some crypto plug-ins…

  • Security is every developer’s job

    In one of his latest blog posts published in the OWASP feed, Dinis Cruz points out, that secure development and application security itself must be invisible to developers. I can’t completely agree to that. On one side, Dinis is right: The frameworks we use must be way more secure out of the box and way…

  • Using interceptors with version 2.1 Enterprise Beans

    I recently hit the requirement to use Interceptors with some EJB 2.1 beans. Those beans should be migrated to 3.1, and tracing should make their complex flow easier to understand. As this blog post points out, it is possible to use interceptors with old EJB versions. Simply update the deployment descriptor to 3.0 or 3.1…

  • XML Encryption 1.1 is a candidate recommendation

    The XML Security Working Group has published the Candidate Recommendation for XML Encryption Syntax and Processing 1.1. The most important update in this version addresses the lately published chosen-ciphertext attacks against the CBC class of algorithms. Besides that, AES 128-GCM is now a required algorithm. AES-GCM is an authenticated encryption algorithm and provides both authentication…

  • Upcoming secure development for Java developers talks

    I‘ll be speaking about OWASP Top 10 and secure development for Java developers at DOAG SIG Security on March 20th 2012 in Munich. Two more talks about the same topic are scheduled for May 9th in Bern and May 10th in Zuerich at the Java User Group Switzerland. Hope to see you at one of…

  • Apache XML Security 1.5.1 available

    One month after the 1.5.0 release, the bugfix release 1.5.1 of Apache Santuario is available. Two bugs were fixed: one in XMLSignatureInput when using a BufferedInputStream. The other one caused Santuario to still require Apache Xalan (which was changed to optional in 1.5.0). Besides that, encryption and decryption should work faster now.

  • Apache XML Security 1.5.0 released

    Apache Santuario 1.5.0 has been released. As the release notes point out, this release is not binary compatible with Santuario 1.4 any more. There are some really good updates included, of which I like that Xalan/Xerces are not required dependencies any more the most. Under the covers, support for Java 1.4 was dropped, and generics…

  • JCrypTool Release Candidate 5a available

    JCrypTool release candidate 5a (RC5a) is available (German and English download page). This update was necessary for our new update site URL at http://www.cryptool.org/jct/update. Even if you have already changed the URL manually, we recommend updating to the new version 0.9.6 anyway.