Why JEP 411 Will Have a Negative Impact on Java Security

This page summarizes the projects mentioned and recommended in the original post on reddit.com/r/java

Our great sponsors
  • InfluxDB - Build time-series-based applications quickly and at scale.
  • SonarLint - Clean code begins in your IDE with SonarLint
  • Scout APM - Truly a developer’s best friend
  • talent.io - Download talent.io’s Tech Salary Report
  • ysoserial

    A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

    I think a mistake many people make, is they assume it's for untrusted code or applets or something along those lines, but this completely ignores access controls, besides signed applets were given AllPermission, which was just nuts in my opinion. If you read Li Gong's book "Inside Java 2 Platform Security, Second Edition", he informs the reader that remote data which has the capability to modify state, should be treated the same as code, when you take that perspective, it means that Java Serialization and XML parsers should have had an unprivileged domain placed onto the call stack, to represent untrusted data. Java Serialization was designed a long time ago, I noticed even tonight a new gadget attack was posted against Java Serialization. https://github.com/frohoff/ysoserial/commit/d367e379d961c18bff28fd2c888a2c8fe0dc6e63#commitcomment-51212711

  • JDK

    JDK main-line development https://openjdk.org/projects/jdk

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.

  • JGDMS

    Infrastructure for providing secured micro services, that are dynamically discoverable and searchable over ipv6 networks

    Sun Microsystems policy tool

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts