security

Security in Jakarta EE has long been under-used and under-specified. Existing specifications ranged from overly complex to non-existent. The result: few people used security standards. Java EE 8 changed that with JSR 375. Its evolution Jakarta Security facilitates portable application security integrated with container security. Allowing applications to treat authentication mechanisms like OAuth or OpenID Connect same as built-in container mechanisms like FORM or container-based access to a URL and features like @RolesAllowed and isUserInRole automatically work as expected.

Experience level:

Beginner

Cloud Native Technologies

Application Hardening for MicroProfile and Jakarta EE

Jamie Coleman (IBM)

Steve Poole

In these times of rising cyber attacks it’s imperative that every developer understands the basics about secure software design. In this session we’ll examine how attacks can happen and how you should use your Java and MicroProfile skills to counter the threat.

We will take you from the theory of attacks through to the code and configuration that helps defend against them. With both general advice and specific guidance this talk will help you become better prepared to deal with the new realities of cybercrime.

Experience level:

Beginner

All Things Quality & Security

What goes into creating a high-quality Operating System?

Amit Kucheria (Huawei Technologies Co., LTD.)

Imagine a small team working on an embedded device - it could be a simple light bulb, a security alarm, a set top box or an internet gateway. Their mission is to ship their application on this device. Typically, this team juggles their time between implementing their core application with bringing up a BSP, cobbling together an OTA solution to allow future updates, managing their CI pipeline and “implementing security”.

Experience level:

Intermediate

All Things Quality & Security

Log4J, SpringShell and all that Jazz (or why bad things can happen to good software)

Steve Poole

Meet the new, nastier brother of cyber crime: Cyberwarfare, It changes everything about how and why our software is attacked. This session will educate you on what's happening, why we're heading for a new reality of constant and sophisticated software supply chain attacks and what Log4Shell and others teach us about why our attitudes and approach to security must change

Experience level:

Beginner

All Things Quality & Security

Yocto Vs Compliance Vs Security. A Mexican Standoff?

Carlo Piana (Array)

Alberto Pianon (Partner, Array)

How to start worrying and do Software Composition Analysis in a complex YOCTO project.

Experience level:

Beginner

All Things Quality & Security

How I Learned to Stop Worrying and Love the SBOM

Shelley Lambert (Red Hat, Inc.)

Would you eat something where you didn't know the ingredients? Likely not. Then why are you building or running software where you have no idea what is in it? A Software Bill of Materials (SBOM) is an essential artifact that helps 'make known' the dependencies and inputs of a piece of software, essentially an SBOM tells you the ingredients of the software. Do not worry if you have never heard of an SBOM, this presentation will give you both a good understanding of what it is, but also how it can be leveraged. Beyond describing the purpose and value of an SBOM and how it fits into an ov

Experience level:

Beginner

All Things Quality & Security

Security Vulnerabilities for Java Developers

Brian Demers (Other)

Ever seen a security-related issue that you felt should be reported? Unsure of how reporting a security issue is different than a regular bug? Developers of any level should know how to report a vulnerability. In this talk, we will talk about what CVEs are, some general vulnerability classifications, look at a few ways you can report security issues, as well as look at a few common mistakes.

Experience level:

Beginner

All Things Quality & Security

Taking dependency management to the next level with call graphs!

Antoine Mottier (OW2)

Software dependencies can be viewed as graph that only get bigger as software evolved. This lead to multiple challenging situations related to security, quality, licensing and more. Today tools are great but more accurate tools such as FASTEN are under development. Join me to learn how the current dependency management tool are evolving to cope with the growing complexity of software development.

Experience level:

Beginner

All Things Quality

Jakarta EE Security - Sailing Safe in Troubled Waters

Werner Keil (Self Employed)

Ivar Grimstad (Eclipse Foundation)

Security in Jakarta EE has long been under used and under specified. The existing set of specifications ranged from overly complex to non-existent. The result was almost nobody used standards for security. Java EE 8 changed that with JSR 375, the Java EE Security API. Its evolution Jakarta Security facilitates portable application security that integrates with container security. Allowing an application to provide authentication mechanisms like OAuth or OpenID Connect and that mechanism is treated just like built-in container mechanisms like FORM.

Experience level:

Beginner

Cloud Native Technologies

Vulnerability data about open-source software should be open too!

Henrik Plate (SAP SE)

Serena Ponta (SAP SE)

Antonino Sabetta (SAP SE)

When running Eclipse Steady internally at SAP, serving thousands of distinct teams and conducting 250k+ scans per month, we spent a substantial amount of time mining source code repositories and curating a knowledge base of so called fix-commits (which are the commits that fix known vulnerabilities). Such information is the fuel of Eclipse Steady and it needs to be continuously harvested.

Experience level:

Beginner

The Open Source Way