Malicious Developers and Enterprise Java Rootkits - Revision history

Leeannehart at 15:23, 20 October 2009

2009-10-20T15:23:31Z

Jeff Williams at 15:04, 9 October 2009

2009-10-09T15:04:38Z

Jeff Williams at 15:03, 9 October 2009

2009-10-09T15:03:21Z

Jeff Williams: moved Fox in the Henhouse: Java Rootkits to Malicious Developers and Enterprise Java Rootkits

2009-10-09T14:57:50Z

moved Fox in the Henhouse: Java Rootkits to Malicious Developers and Enterprise Java Rootkits

Mark.bristow: /* The speaker */

2009-08-21T00:49:07Z

‎The speaker

Mark.bristow: /* The speaker */

2009-08-21T00:43:24Z

‎The speaker

Jeremy.long: Created page with '== The presentation == rightHow much would it cost to convince a developer to insert a few special lines of Java in your application? Would you …'

2009-08-04T00:02:51Z

Created page with '== The presentation == rightHow much would it cost to convince a developer to insert a few special lines of Java in your application? Would you …'

New page

== The presentation ==

[[Image:Owasp_logo_normal.jpg|right]]How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once. This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk.

== The speaker ==

Jeff Williams has specialized in information security since 1989 and has published numerous papers focused on practical risk and assurance techniques. Jeff has been writing code for 25 years in many different environments but has focused primarily on Java and J2EE security for the past 10 years. Jeff is a primary author of the OWASP Top 10 Web Application Security Vulnerabilities and the OWASP Secure Software Development Contract Annex, and he leads several OWASP projects. He also chaired the group responsible for creating ISO 21827, the Systems Security Engineering Capability Maturity Model (SSE-CMM).

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

@@ Line 1: / Line 1: @@
 == The presentation  ==
-[[Image:Owasp_logo_normal.jpg|right]]How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
+[[Image:JeffWilliams2.jpg|200px|thumb|right|Jeff Williams]]How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
 This technical talk will examine some of the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk.

@@ Line 8: / Line 8: @@
 == The speaker  ==
-Jeff Williams is the founder and CEO of [http://www.aspectsecurity.com/ Aspect Security], specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the [http://www.owasp.org/ Open Web Application Security Project (OWASP)]. He has made extensive contributions to the application security community through OWASP, including writing the [[topten|Top Ten]], [[WebGoat]], [[legal|Secure Software Contract Annex]], [[ESAPI|Enterprise Security API]], [[OWASP Risk Rating Methodology]], and starting the worldwide [[chapters|local chapters program]]. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.
+'''[[User:Jeff Williams|Jeff Williams]]''' is the founder and CEO of [http://www.aspectsecurity.com/ Aspect Security], specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the [http://www.owasp.org/ Open Web Application Security Project (OWASP)]. He has made extensive contributions to the application security community through OWASP, including writing the [[topten|Top Ten]], [[WebGoat]], [[legal|Secure Software Contract Annex]], [[ESAPI|Enterprise Security API]], [[OWASP Risk Rating Methodology]], and starting the worldwide [[chapters|local chapters program]]. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.
 [[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

@@ Line 4: / Line 4: @@
 == The speaker  ==
-Jeff Williams is the founder and CEO of Aspect Security, specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). He has made extensive contributions to the application security community through OWASP, including writing the Top Ten, WebGoat, Secure Software Contract Annex, Enterprise Security API, OWASP Risk Rating Methodology, and starting the worldwide local chapters program. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.
+Jeff Williams is the founder and CEO of [http://www.aspectsecurity.com/ Aspect Security], specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the [http://www.owasp.org/ Open Web Application Security Project (OWASP)]. He has made extensive contributions to the application security community through OWASP, including writing the [[topten|Top Ten]], [[WebGoat]], [[legal|Secure Software Contract Annex]], [[ESAPI|Enterprise Security API]], [[OWASP Risk Rating Methodology]], and starting the worldwide [[chapters|local chapters program]]. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.
 [[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

← Older revision	Revision as of 14:57, 9 October 2009
(No difference)