Description: Java projects typically include and package their own set of JAR files, often using build systems such as maven to accomplish this. This means the operating system's package manager cannot be relied upon to update dependencies with security patches; each project must ensure it is including secure versions independently. Unsurprisingly, most projects do an appalling job of this. When a security patch is released for an upstream dependency, projects using it can take many months to start including it. That's for open source projects - who knows about proprietary or in-house projects, it is probably even worse. To combat this, I'm currently working on three initiatives that will be outlined by this talk:
jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs
victims database: a canonical database of known-vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs
maven-victims: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database
DAVID JORM BIO
David is the lead security response engineer for Red Hat's middleware division. He has worked on security response, documentation, hotel reservation systems, climate forecasting, OCR, AI and mental health. He studies math and geography part time.
Tags: securitytube , hacking , hackers , information security , convention , computer security , ruxcon-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.