How Java Developers Can Secure Their Code (#58) - podcast episode cover

How Java Developers Can Secure Their Code (#58)

Foojay.io, the Friends Of OpenJDK!
Sep 28, 202455 minSeason 4Ep. 58
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

Three years after Log4Shell caused a significant security issue, we still struggle with insecure dependencies and injection problems. In this podcast, we'll discuss how developers can secure their code. I talked with three authors who posted a security and code quality post on Foojay.io.

Guests

    Jonathan Vila  
        https://www.linkedin.com/in/jonathanvila/ 
        https://about.me/jonathan.vila 
        https://twitter.com/jonathan_vila 

    Brian Vermeer
        https://www.linkedin.com/in/brianvermeer/ 
        https://brianvermeer.nl/ 
        https://twitter.com/BrianVerm 

    Erik Costlow  
        https://www.linkedin.com/in/costlow/  
        https://twitter.com/costlow  

Content

00:00 Introduction of topic and guests

01:35 Brian: Why is Log4Shell still around?
   https://foojay.io/today/the-persistent-threat-why-major-vulnerabilities-like-log4shell-and-spring4shell-remain-significant/  
03:24 Outdated dependencies are still used a lot
04:31 Who is responsible for dependency updates?
07:55 Snyk tools to help discover issues
10:15 Comparing to Dependabot
11:21 How to keep dependencies up-to-date
14:32 Responsibility to use dependencies with care
17:17 Looking forward to the JFall conference  
18:48 About Foojay  

19:49 Jonathan: Is SQL injection still a problem?
   https://foojay.io/today/top-security-flaws-hiding-in-your-code-right-now-and-how-to-fix-them/ 
24:50 Deserialization injection
27:30 Logging injection
31:22 Even experienced developers make mistakes
33:17 About Sonar tools
35:53 Other articles by Jonathan
   https://foojay.io/today/author/jonathan-vila/ 
   https://foojay.io/today/ensuring-the-right-usage-of-java-21-new-features/
38:20 Other security tools
   https://www.youtube.com/watch?v=-wVCYj8oQUY

39:47 Erik: Trash Pandas are attracted by unused code
   https://foojay.io/today/trash-pandas-love-enterprise-java-garbage-code/  
43:01 How bad are insecure but unused libraries?
45:16 Problem of code only used by unit tests
47:15 Testing in different layers (develop, test, production)
49:31 How much code is not used in production?
50:31 How code becomes unused
   https://foojay.io/today/foojay-podcast-57/

54:29 Conclusions

For the best experience, listen in Metacast app for iOS or Android