Home » Tag Archives: Security (page 2)

Tag Archives: Security

“NoSQL Injection” – What 40000 Unsecured MongoDB Databases Mean for our Industry

mongodb-logo

The news is all over reddit… Major security alert as 40,000 MongoDB databases left unsecured on the internet Security is a feature that is often neglected until it’s too late. And when it’s too late, it is often hard to bake it into a well-established architecture without major refactoring efforts. Every system and thus also every database is always vulnerable. ...

Read More »

Introduction to MongoDB Security

mongodb-logo

Last week at the Paris MUG, I had a quick chat about security and MongoDB, and I have decided to create this post that explains how to configure out of the box security available in MongoDB. You can find all information about MongoDB Security in following documentation chapter: http://docs.mongodb.org/manual/security/         In this post, I won’t go into ...

Read More »

Required Reading: Iron Clad Java

java-interview-questions-answers

They didn’t teach appsec in Comp Sci or in engineering or MIS or however you learned how to program. And they probably still don’t. So how could you be expected to know about XSS filter evasion or clickjacking attacks, or how to really store passwords safely. Your company can’t afford to send you on expensive appsec training, and you’re too ...

Read More »

If you got bugs, you’ll get pwned

software-development-2-logo

The SEI recently published some fascinating research which shows a clear relationship between software quality and software security. The consensus of researchers is that at least half, and maybe as many as 70% of common software vulnerabilities are fundamental code quality problems that could be prevented by writing better software. Sloppy coding. Not checking input data. Bad – or no ...

Read More »

Self-Signed Certificate for Apache TomEE (and Tomcat)

apache-tomcat-logo

Probably in most of your Java EE projects you will have part or whole system with SSL support (https) so browsers and servers can communicate over a secured connection. This means that the data being sent is encrypted, transmitted and finally decrypted before processing it. The problem is that sometimes the official “keystore” is only available for production environment and ...

Read More »

Signing Digital Certificates with OpenSSL Library

software-development-2-logo

While working on the pgopenssltypes extension I realized that I haven’t discussed how to sign digital certificates using the OpenSSL library. (At least I don’t recall doing so – I might have discussed this in the early days of the blog. I’m pretty sure I’ve already discussed signing digital certificates with the BouncyCastle (java) library.) My pgopenssltypes extension will have ...

Read More »

Adding OpenSSL User-Defined Types to PostgreSQL

postgresql-logo

PostgreSQL supports user-defined types (UDT). These types can be used to provide type-safety on user-defined functions when we would otherwise be forced to use simple BLOB objects. This comes at a significant cost. Many databases support UDT but implementation details vary widely so there’s a significant amount of vendor lock-in. In addition C language UDT require deployment via PostgreSQL extensions ...

Read More »

Database Threat Models

software-development-2-logo

I finally have a breather and can start working through my backlog of ideas. I start with some background that will make the motivation for subsequent posts clearer. What are the threat models for the persistence layer of an application, specificially the threats against the database itself? Remember that a ‘threat’ is an adverse act, whether intentional (by an attacker) ...

Read More »

In Favour of Self-Signed Certificates

software-development-2-logo

Today I watched the Google I/O presentation about HTTPS everywhere and read a couple of articles, saying that Google is going to rank sites using HTTPS higher. Apart from that, SPDY has mandatory usage of TLS, and it’s very likely the same will be true for HTTP/2. Chromium proposes marking non-HTTPS sites as non-secure. And that’s perfect. Except, it’s not ...

Read More »
Want to take your Java Skills to the next level?
Grab our programming books for FREE!
  • Save time by leveraging our field-tested solutions to common problems.
  • The books cover a wide range of topics, from JPA and JUnit, to JMeter and Android.
  • Each book comes as a standalone guide (with source code provided), so that you use it as reference.
Last Step ...

Where should we send the free eBooks?

Good Work!
To download the books, please verify your email address by following the instructions found on the email we just sent you.