Category Archives: Java Security

ATT&CK Navigator: Studying Cyberthreat intelligence from adversary tactics and exploits

Since inception, I had been following MITRE’s ATT&CK Navigator knowledge base for studying (threat modeling) pre and post-exploit techniques on Web, Mobile and Enterprise applications more particularly running on Windows and Linux systems. Indeed, it is a great resource for understanding the devil in the details of attack techniques and simulate it from simple hacking credentials from the initial access… Read more »

Encryption and Key Management in AWS – Comparing KMS vs. CloudHSM

A secure data protection using encryption depends more on secure key management processes than the encryption itself. Although enabling encryption looks quite trivial, managing the underlying Key management lifecycle processes and handling the associated cryptographic operations always been a daunting challenge! The challenges are too many till we really know..beginning from key generation and issuance, key ownership, key usage, privileged… Read more »

Good old memories from Java Keystore (JKS)

Thanksgiving holidays! Had great time meeting with a bunch of my old friends from Javasoft! Back in the days (~1998) I was working at Sun Microsystems and was part of a team working on Java Keystore.  It was a lot of fun..still remains fresh on my mind! It’s been a while I played with Java. Can’t believe JKS still remains as… Read more »

Firesheep: HTTP Session Hijacking made so easy !

      1 Comment on Firesheep: HTTP Session Hijacking made so easy !

Way cool ! HTTP Session Hijacking can’t be made simpler than using Firesheep. Couple of days ago, a friend of mine suggested me to login a most popular website and he demonstrated how he took control and accessed my user session in less than a minute. First, I thought he used a network protocol analyser tool such as Wireshark or… Read more »

Hardware Assisted Security: Cryptographic Acceleration for SOA and Java EE applications

I’ve spent the last few days attending Oracle OpenWorld conference at San Francisco..it is my second OOW experience, so it is not a surprise to see the conference was fully packed with people, hundreds of sessions and demos – I did have an opportunity to attend few and also present two sessions focused on Security topics featuring “Hardware Assisted Security… Read more »

Java Cryptography on Intel Westmere

      3 Comments on Java Cryptography on Intel Westmere

When it comes to Java cryptography based application security –  Solaris has significant performance advantage over Linux and Windows on Intel Westmere processor equipped servers.  I am not debunking Linux performance on Intel but evidently Linux does not take advantage of Intel Westmere’s AES-NI instructions when the Java applications relies on Java cryptographic implementations  for performing AES encryption/decryption functions.  AES is one of the most popular symmetric-key encryption algorithm widely… Read more »

Secure Java Coding Guidelines v3.0

      1 Comment on Secure Java Coding Guidelines v3.0

When it comes to application security,  Secure coding is the first line of defense….and it is very critical to follow the best practice patterns and avoid pitfalls to secure the application from known risks and vulnerabities. The Java Security team has just released the updated – “Secure Coding Guidelines for the Java Programming Language, Version 3.0” .  Certainly it included a newer set of… Read more »

Java EE 6: Web Application Security made simple !

Java EE 6 RI was released few weeks ago….I am bit late to have my first look 🙂  Without a doubt, the new Web container security enhancements are very compelling for any budding or experienced Java developer working on Web applications. The Java EE 6 has unveiled several new security features with ease of use and targetted for simplified Web… Read more »

Does your Performance Tests address Security ?

      2 Comments on Does your Performance Tests address Security ?

The untold reality is ….when your Web application on the DMZ hits the Internet… the colorful performance graphs/numbers does’nt mean anything !  Unless your performance guru in the lab captured the QoS requirements and realized it proactively and accounted its actual overheads associated with Security, Network bandwidth, High-availability and other mission-critical requirements.  Otherwise…performance is the nagging issue that every datacenter guy gnaws…. when an application… Read more »