How Java Developers Can Secure Their Code (#58)

Foojay.io, the Friends Of OpenJDK! - A podcast by Foojay.io

Categories:

Education Technology

Three years after Log4Shell caused a significant security issue, we still struggle with insecure dependencies and injection problems. In this podcast, we'll discuss how developers can secure their code. I talked with three authors who posted a security and code quality post on Foojay.io.Guests     Jonathan Vila          https://www.linkedin.com/in/jonathanvila/          https://about.me/jonathan.vila          https://twitter.com/jonathan_vila      Brian Vermeer         https://www.linkedin.com/in/brianvermeer/          https://brianvermeer.nl/          https://twitter.com/BrianVerm      Erik Costlow          https://www.linkedin.com/in/costlow/           https://twitter.com/costlow   Content00:00 Introduction of topic and guests 01:35 Brian: Why is Log4Shell still around?    https://foojay.io/today/the-persistent-threat-why-major-vulnerabilities-like-log4shell-and-spring4shell-remain-significant/   03:24 Outdated dependencies are still used a lot 04:31 Who is responsible for dependency updates? 07:55 Snyk tools to help discover issues 10:15 Comparing to Dependabot 11:21 How to keep dependencies up-to-date 14:32 Responsibility to use dependencies with care 17:17 Looking forward to the JFall conference  18:48 About Foojay  19:49 Jonathan: Is SQL injection still a problem?    https://foojay.io/today/top-security-flaws-hiding-in-your-code-right-now-and-how-to-fix-them/  24:50 Deserialization injection 27:30 Logging injection 31:22 Even experienced developers make mistakes 33:17 About Sonar tools 35:53 Other articles by Jonathan    https://foojay.io/today/author/jonathan-vila/     https://foojay.io/today/ensuring-the-right-usage-of-java-21-new-features/ 38:20 Other security tools    https://www.youtube.com/watch?v=-wVCYj8oQUY 39:47 Erik: Trash Pandas are attracted by unused code    https://foojay.io/today/trash-pandas-love-enterprise-java-garbage-code/   43:01 How bad are insecure but unused libraries? 45:16 Problem of code only used by unit tests 47:15 Testing in different layers (develop, test, production) 49:31 How much code is not used in production? 50:31 How code becomes unused    https://foojay.io/today/foojay-podcast-57/ 54:29 Conclusions