Tuesday, December 29, 2015

Wide Open to Interpretation: Java

Duke has gotten a lot more hard-core lately - I'm worried he's a Trump supporter.

We do private classes sometimes, and the most requested class by far is the Java class, which we are also giving at INFILTRATE 2016. But just because something is "Java" doesn't make it easy. I did a re-read of the whole Wide Open: Java class today. In many slides we suggest using "mature frameworks", but of course, in the last section of the talk there is a note about the bugs in so-called "mature frameworks".

Here's the thing about maturity: It makes you more complex. That line makes me feel like I'm writing an entry on my dating blog, but the reality is that when I learned Java, a class was a class and XXE was not a thing. Ah, the good ol' days, when "Beans" were a brand new, hip technology and you were probably using Solaris.

Your modern Enterprise web application runs in a very different way, and is audited in a very different way, and is being attacked by much more modern adversaries, some of which we've hired to do commercial services for you, and of course, teach you this class.

We knew you liked templates so we put an expressive templating system into your templates!
To sum up, "Mature Frameworks" are one small step from being "Legacy Frameworks", which are widely known to not be up to security standards. What this class does is go through modern Java, and how it's built today, from the standpoint of Immunity's professional auditing team. This is the exact same class we make our new consultants take, and it's excellent, and you can sign up today while there are still spots.

No comments:

Post a Comment