2024 DevOps Lifecycle: Share your expertise on CI/CD, deployment metrics, tech debt, and more for our Feb. Trend Report (+ enter a raffle!).
Kubernetes in the Enterprise: Join our Virtual Roundtable as we dive into Kubernetes over the past year, core usages, and emerging trends.
Product Security at Microsoft
Dublin, IE
Joined Dec 2016
Stats
Reputation: | 1298 |
Pageviews: | 119.6K |
Articles: | 5 |
Comments: | 4 |
Expertise
Security
Articles
Refcards
Identity and Access Management
Threat Modeling
Trend Reports
Enterprise Security
This year has observed a rise in the sophistication and nuance of approaches to security that far surpass the years prior, with software supply chains being at the top of that list. Each year, DZone investigates the state of application security, and our global developer community is seeing both more automation and solutions for data protection and threat detection as well as a more common security-forward mindset that seeks to understand the Why.In our 2023 Enterprise Security Trend Report, we dive deeper into the greatest advantages and threats to application security today, including the role of software supply chains, infrastructure security, threat detection, automation and AI, and DevSecOps. Featured in this report are insights from our original research and related articles written by members of the DZone Community — read on to learn more!
Enterprise Application Security
Data breaches, ransomware attacks, and other security vulnerabilities have become the norm in recent years. Hackers have become shrewder. And with that, development teams bear the responsibility of ensuring that all stages of the SDLC have strong security.DZone's 2022 Trend Report, Enterprise Application Security: Building Secure and Resilient Applications, focuses on key factors of security practices including supply chain security, principles of zero-trust security, how to secure mobile applications, common DevSecOps practices, and what to do after your organization experiences a security breach. Our research dives into sentiments on perceived application security risks, development techniques for securing applications, and where the role of security lies for teams within today's organizational structures. The goal of this Trend Report is to equip developers with the tools, best practices, and advice they need to help implement security at every stage of the SDLC.
Comments
Jan 17, 2018 · Michael Tharrington
Hi Jürgen,
I agree that Oracle's advisories and release notes are often confusing.
However, Oracle's security advisory seems correct to me regarding the referenced Java releases. The security advisory references 8u151/152 because these are the affected versions.
Aug 09, 2017 · David Shilman
Very good points! I completely agree.
Mar 21, 2017 · Michael Tharrington
Hi Fred. You are missing the point of what "simple" and "quick" means in the enterprise world and you fail to understand that your filter uses a heuristic approach that can produce false positives and netagives. Case and point: S2-046 and its variations.
Mar 20, 2017 · Michael Tharrington
I would argue that this cannot be considered a "quick" nor a proper solution.
1) Your code does not compile using struts 2.5.x. Effort and time is needed to make it compile successfully.
2) Your code contains code quality issues such as unused constants (UNAVAILABLE_PAGE).
3) Your code introduces an unnecessary third-party dependency for logging.
4) Your filter redirects to a custom URL that has to exist in each web application. This requires knowledge of the file structure of each web app and introduces another dependency for a new html file.
5) Why is your filter adding unnecessary response headers that they seem to have no relation with the mitigation of these exploits? This demonstrates that anyone who decides to mitigate the problem using untrusted patches from the Interent must perform thorough source code review.
6) Your solution requires a) source code changes b) recompilation c) configuration changes d) retesting e) redeployment f) service restart. This is the definition of not a "quick solution" and it is the opposite of the "push button" solution that enterprise organizations with hundreds / thousands of apps require.
7) Your filter does a very basic pattern matching. This is a heuristic approach that might mitigate some payloads but might permit some others. It can generate false positives or negatives. It might break some apps that depend on custom content types or content types that your filter might consider them harmful. Your filter needs to be thoroughly tested for each app before it gets deployed.
8) Your filter filters only the Content Type header. If the payload comes from another entry point then it will fail to mitigate. Case and point the brand new vulnerability that was just disclosed: http://struts.apache.org/docs/s2-046.html
9) Why not someone just change the multipart parser which seems easier and it is recommended by Apache instead of introducing your filter?