Security a top priority for Java developers, says Infosec Skills author Larry Ricker
If you have ever ordered an item on Amazon, hailed a ride through Uber, booked a room on Airbnb, listened to music or a podcast on Spotify, watched a film or program on Netflix, posted photos on Instagram, pinned an item on Pinterest or looked up something on Google, then you’ve used Java.
In short, Java is the programming language that makes thousands of applications and websites work seamlessly.
First introduced by Sun Microsystems in 1995 and now a product of Oracle, Java is the world’s top programming language, running everything from scientific supercomputers, data centers and e-commerce websites to cell phones, game consoles and online banking.
Larry Ricker has been writing code in Java since it came out. As a senior software developer with a top-secret clearance at a major government contractor, he is intimately familiar with the language and how to make sure customer information remains secure.
“Security has grown since the internet and it’s a need that has been an issue created by the internet,” says Ricker, who recently released a Writing Secure Code in Java Learning Path in Infosec Skills. “If you’re doing any programming or writing an app and are in an environment with customers, you’re collecting people’s information and you need to protect it.”
Learn Java security from an expert
Ricker has more than 20 years of professional experience, having led teams and created software using Java for tech companies across the U.S. He’s also developed 19 applications for the iPhone and iPad.
That makes him uniquely qualified to help train the next generation of Java developers.
“You have to be aware of cross-site request forgery and attacks that people can use to attack software,” says Ricker. “So now when I’m doing secure code reviews and looking over people’s code, I’m a lot more keen on what they might be doing that might open up a vulnerability or a susceptibility to attack.”
Vulnerable code leads to attacks
Earlier this year, an ethical hacker breached the systems of a who’s who of technology companies, including Apple, Microsoft, Netflix, PayPal, Shopify, Tesla and Uber by exploiting open-source development tools.
The code developed by security researcher Alex Birsan was injected into common tools for installing dependencies in developer projects. The vulnerability he exploited was detected inside more than 35 organizations across three programming languages — Python, Ruby and Java. Birsan received more than $130,000 in both bug bounties and pre-approved arrangements with targeted organizations, all of whom agreed to be tested.
Last year, the SolarWinds hack affected an estimated 18,000 of the company’s customers who downloaded a software update with malicious code believed to have been inserted by Russian agents. More than 100 companies including Microsoft, Intel and Cisco were compromised. So were federal government agencies including the Treasury, Justice, Energy and Defense departments.
“It was genius on the part of the hackers to get that software in there and get it into so many corporations and government agencies. They picked a really good place to deliver their payload,” says Ricker. “They created a backdoor that is getting a lot of focus, unfortunately, after the fact.”
Privacy laws put emphasis on security
Privacy laws are tightening because of the massive amounts of personal information gathered by organizations and through social media. The European Union passed rules to protect people’s privacy and impose severe penalties for violating people’s privacy.
“Europeans were very interested in their privacy and protecting their privacy while Americans are more open, but I see that changing very quickly,” says Ricker. “I think you’re going to see that probably result in new legislation. And maybe it will mirror GDPR, which is covered in the training.”
Ricker says that whether or not new laws are passed, the impact on organizations is real.
“As developers and coders, we are collecting vast amounts of personal information and we have to protect it,” he says. “It goes right up to the design level, you’ve got to think about it right from the get-go. I know that certain platforms collect a lot of information for marketing purposes, but that’s going to expose them to liability. So I think everybody needs to be aware of security in this environment.”
Build your Java security skills
Ricker’s new learning path takes you on a journey through the challenges and opportunities of writing secure code in Java.
Seven courses cover topics ranging from network models and protocols to malware to security best practices — all related to how they affect your work in Java:
- Introduction to Java: Learn about input validation, RegEx and how to mitigate the risk of denial-of-service attacks.
- Injection Attacks: Get an overview of common injection attacks and how to mitigate them through validation and encoding.
- Authentication: Explore authentication systems and the components required to secure a system.
- Sensitive Data: Learn about sensitive and non-sensitive data, personally identifiable information and what is protected by privacy laws.
- Input Output: Review inputs and outputs to your system and how to move data securely.
- Website Security: Dive into security issues, including cross-site request forgeries, session management and constructing filters to protect your website.
- Malware: Explore ways to mitigate the risks of malware through formalized code reviews
You’ll then put your skills into action with hands-on labs in our Java secure coding cyber range — and a hands-on project.
Who should learn Java security?
This learning path is for anyone wanting to build their Java security skills. While software developers are the primary audience for this learning path, recent graduates with degrees in IT also will benefit.
“In this environment, even a newbie fresh out of college really needs to start diving into security almost immediately,” says Ricker.
“I don’t remember ever taking a class on security when I was in school 30 years ago. But my son, who recently graduated, had multiple courses in different realms of security as part of his computer science degree. Security is vitally important in today’s world and it’s only going to be more so.”
- What is Java and why do I need it?, Oracle
- What Is Java? A Beginner’s Guide to Java and Its Evolution, Edureka!
- A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, NPR
- Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple, ThreatPost
- 5 Best Programming Languages For Hacking, Techworm