Presentation Title: Java & Secure Programming
Presentation Details:

Java is not secure by default, you as a programmer can use its built-in features to make your software more secure, but on the other hand your errors and the flaws in the software stack below (like the JDK) can add a wide range of vulnerabilities to your java based software. The talk is about the causes and effects of coding errors and the techniques to detect them, demonstrated with findings in the current Sun JDK.

During the talk we describe “Antipatterns” that have negative influence on coding quality. Antipatterns are related to design patterns but they have more negative than positive side effects while solving a general problem. Other problems discussed are language specific issues like non-final static fields and JDK framework issues like serialisation problems, privileged code and insecurity caused by security-unaware component deployment.

All antipatterns are illustrated by real-life vulnerabilities, most of them documented by the corresponding advisories. The underlying code problems were discovered with the help of automated detectors. These detectors are optionally presented in a code-walkthrough.

About Marc:

Marc Schonefeld is an external PhD student at the University of Bamberg in Germany. His research covers the analysis of interdependencies between programming flaws (antipatterns) and vulnerabilities in software. By developing a framework for flaw detection he found a range of serious bugs in current java runtime environments (JDK) and other java based applications and middleware systems(like Jboss, Cloudscape database, …). Some of his findings led to the publication of a number of advisories by Sun Microsystems. In 2004 he presented at DIMVA and D-A-CH conferences and was speaker at Blackhat and RSA in 2003. Also in 2004 he was finalist for the European Information Security Award for his work on java based security antipatterns.