recent meetings
03/03/10: "Boost Your Hibernate and Application Performance" by Greg Luck
01/26/10: "Scaling the Cloud" by Kirk Spadt
12/02/09: "Character Sets, Encodings, Java and Other Headaches" by Brian Clapper
11/04/09: "Protecting Java Code" by Mike Dulaney
10/14/09: "Are You Covered" by Keith Gregory
"Protecting Java Code" by Mike Dulaney
Sponsored by Arxan
Abstract:
While Java offers an efficient framework for developing and deploying enterprise and Web 2.0 server or client-side applications, it also presents many security risks. Perhaps chief among those risks is that Java’s bytecode contains highly detailed metadata which makes compiled applications quite easy to reverse engineer, tamper and pirate.
In our discussion we will consider and demonstrate some of the vulnerabilities and risks that threaten Java applications. These threats consist of:
• Easy decompilation
– Hackers can quickly decompile your bytecode with free or low-cost Java decompilers that process bytecode to produce readable source code, which they modify to implement hacks or create counterfeits
• Reverse engineering
– After download to the client, reverse engineer a bytecode file and decompile the code for IP theft or bypass critical routines
• Bypass critical routines
– Thick client patches to bypass authentication logic or exploit restricted functionality contained that enable server attacks
• Key and credential theft
– Secret keys or authentication credentials simply identified, and can then be abused to launch server attacks
We will also discuss protection tools you can use when assessing or implementing Java application security.
Speaker Bio:
Mike Dulaney joined Arxan in 2003 as a Software Security Analyst participating in and managing government-funded research studies to measure the effectiveness of software security. Mr. Dulaney is now part of Arxan’s commercial sales organization as a Security Architect, a role in which he has contributed in a variety of functional areas— Technical Pre-Sales, Technical Support, Management, Rapid Prototyping, Security Forensics, and Threat Modeling. Previously, Mr. Dulaney performed application security research and development throughout all stages of the application security lifecycle. He also helped bootstrap Arxan’s GuardIT product by designing and developing product security features and playing a key role in enabling support for new compilers and languages. Mr. Dulaney earned a B.S. in Computer Science from Purdue University before completing post-graduate M.B.A. coursework at Purdue’s Krannert Graduate School of Management.
