Stranger Danger: Your Java Attack Surface Just Got Bigger

The biggest threat to your Java app isn't your code; it's your dependencies. See live hacks exploiting vulnerabilities like Log4Shell before they hit you.

#1about 3 minutes

How developers can become malware distribution vehicles

The event-stream incident illustrates how attackers can inject malware into popular open source packages by gaining maintainer trust.

#2about 1 minute

Understanding your application's true composition

Applications are composed of 80-90% open source code, making dependency security a critical concern for developers.

#3about 1 minute

When attackers target the developer's own tools

A command injection flaw in a popular VS Code repository shows how CI/CD pipelines and development tools can become attack vectors.

#4about 4 minutes

The challenge of unfixed vulnerabilities in open source

A cross-site scripting (XSS) vulnerability in a popular markdown parser remained unpatched for a year, highlighting the risks of relying on unmaintained packages.

#5about 6 minutes

Human factors in open source supply chain risk

Weak credentials on maintainer accounts, long-hidden bugs like the sudo vulnerability, and maintainers unpublishing their own packages (colors.js, faker.js) create significant ecosystem risks.

#6about 8 minutes

Anatomy of the Log4Shell (Log4j) vulnerability

Log4Shell allows remote code execution (RCE) by manipulating log messages, demonstrating how a ubiquitous logging library can become a critical security failure.

#7about 13 minutes

Live hack: Bypassing sanitization with type confusion

This demo shows how an Express.js application's XSS sanitization can be bypassed by passing an array instead of a string, causing a type confusion vulnerability.

#8about 11 minutes

Live hack: Recreating the Apache Struts vulnerability

A demonstration of a remote code execution (RCE) vulnerability in an older version of Apache Struts, similar to the one that led to the Equifax breach.

#9about 30 minutes

Hands-on lab: Executing a Log4Shell exploit

A step-by-step walkthrough of exploiting the Log4Shell vulnerability by setting up a malicious server and a vulnerable client to achieve remote code execution.

#10about 8 minutes

How to shift left with a security champions program

To manage modern security risks, organizations should adopt a 'shift left' mindset and empower developers through a structured security champions program.

#11about 27 minutes

Q&A on social engineering and a career in security

The speaker answers audience questions about social engineering, the role of QA in security, and her personal career path from developer to cybersecurity leader.