Java Serialization: The Serial Killer - Robert Seacord

Java Serialization: The Serial Killer Abstract: This presentation provides developers with practical guidance for securely implementing Java Serialization. Java deserialization is an insecure language feature included in the OWASP Top 10 Application Security Risks – 2017. Serialization is widely used both directly by applications and indirectly by Java subsystems such as RMI (Remote Method Invocation), JMX (Java Management Extension), JMS (Java Messaging System). The presentation will demonstrate how deserialization of untrusted streams can result in remote code execution (RCE), denial-of-service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when no coding defects are present. This webinar explains and demonstrate these attacks and show developers how to securely code their systems to support Java serialization. In particular, participants will learn: · How Java serialization/deserialization works · How to determine if your systems are vulnerable to Java deserialization exploits · How to use serialization filtering in Java 10 to mitigate vulnerabilities Bio: Robert C. Seacord (@RCS) is a Technical Director at NCC Group and works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Robert is a renowned computer scientist and author, known as the “father of secure coding.” Previously, Seacord led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Seacord is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Seacord is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Seacord is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.