Webinar: Java Serialization security issues

Welcome to OWASP Bay Area's YouTube!
Enjoy these amazing talks from September meetup by OWASP Bay Area. For more details about past and upcoming meetups, visit the Meetup page: https://www.meetup.com/Bay-Area-OWASP
To contribute to Hacker Thursday via speakers or venues, email us at owaspht[at]gmail[dot].com
----------------------------------

Storing and transmitting structured data between components has been a constant challenge, especially when the data is represented by complex objects. While there is a large variety of serialization technologies available that claim to solve this challenge in several different ways –
from human-friendly JSON to machine-friendly Java class serialization – they all have one thing in common: using them carelessly is a recipe for disaster. There is a reason why "Insecure Deserialization" is now in the OWASP Top 10!

In this short talk, we'll take a look at the various security issues coming from deserializing untrusted data in Java: information disclosure, denial of service, and even code execution. We'll examine these issues through live demonstrations with step-by-step explanations of what can go wrong – and how.

Most importantly, we'll discuss several best practices and countermeasures you can use as a developer to protect yourself from these issues – or prevent them from affecting you in the first
place.

We will cover the following topics throughout the webinar:
- Basic concept of class serialization (the java.io.Serializable interface)
- Security challenges of deserialization
- Deserialization in Java
- Code execution via class deserialization: Property-Oriented Programming
- Java class deserialization vulnerabilities and examples
- Security issues with third-party serialization libraries: FST and Kryo
- JSON deserialization security challenges
- Protection measures against deserialization vulnerabilities
- Real-world case studies

Requirements
Participants should have basic knowledge of the Java language. While many of the presented issues are language-agnostic, we will be presenting them – and relevant examples – in a Java
context.

About the Speaker
Ernő has been working in the area of security for nearly fifteen years. He has been involved in a number of R&D projects in different areas of security, and has numerous scientific publications in different topics of both physical and logical security. Some of his areas of interest include secure coding, software technologies, convergence of logical and physical security, data hiding, technological aspects of digital rights, remote biometrics and also video content analysis. He has several innovations in the area of ear-based human identification, integration of fingerprint biometrics with cryptosystems, computer vision and software watermarking.

SCADEMY Secure Coding Academy was set up by practical software security experts with an academic background, as a by-product of their penetration testing operation. The initial trigger was to educate the developers on secure coding so that they do not commit the same typical mistakes found in security evaluations over and over again. In the last decade SCADEMY has continuously grown to become an educational company focusing exclusively on software engineers and secure coding; since its establishment, it has become a leading global brand in this field, delivering on-site courses from Finland to South Africa, from Taiwan to California.

Ernő has actively taken part in the elaboration of all course materials, and currently he manages all training activities of SCADEMY. He is a highly qualified trainer with several years of experience; he has already held numerous secure coding courses for leading software development companies all over North and South America, Europe, Africa and Asia.