Tuesday, December 29, 2015

Wide Open to Interpretation: Java

Duke has gotten a lot more hard-core lately - I'm worried he's a Trump supporter.

We do private classes sometimes, and the most requested class by far is the Java class, which we are also giving at INFILTRATE 2016. But just because something is "Java" doesn't make it easy. I did a re-read of the whole Wide Open: Java class today. In many slides we suggest using "mature frameworks", but of course, in the last section of the talk there is a note about the bugs in so-called "mature frameworks".

Here's the thing about maturity: It makes you more complex. That line makes me feel like I'm writing an entry on my dating blog, but the reality is that when I learned Java, a class was a class and XXE was not a thing. Ah, the good ol' days, when "Beans" were a brand new, hip technology and you were probably using Solaris.

Your modern Enterprise web application runs in a very different way, and is audited in a very different way, and is being attacked by much more modern adversaries, some of which we've hired to do commercial services for you, and of course, teach you this class.

We knew you liked templates so we put an expressive templating system into your templates!
To sum up, "Mature Frameworks" are one small step from being "Legacy Frameworks", which are widely known to not be up to security standards. What this class does is go through modern Java, and how it's built today, from the standpoint of Immunity's professional auditing team. This is the exact same class we make our new consultants take, and it's excellent, and you can sign up today while there are still spots.

Monday, December 28, 2015

Wide Open to Interpretation: PHP

We're teaching a 2 day class at INFILTRATE this year on PHP and another one on Java. Both of them are linked, but in fact cover very different concepts. My main point is this: Just because you don't use PHP at your company doesn't mean you don't use PHP-like technologies. The deserialization issues PHP had last year, Java has this year. Getting ahead in software security means cross-training where possible.

It's also true that auditing PHP apps never goes out of style. Everyone uses PHP apps, just as everyone eats fries, no matter how vegan.

So what are you going to learn if you come to INFILTRATE and take the class? Here are some slides.

We've of course cut our sample target code down to show basic concepts but each is pulled from an impactful vulnerability.

PHP bugs can be deceptively simple at first.

One hint is that the researcher was wrong is that we include them in our slides. :)

In any case - you should sign up for the class before it fills up, as it invariably does RIGHT BEFORE EVERYONE WANTS TO SIGN UP. But we cannot add more seats last minute. So a little prep-time is all I'm asking for this year. :)