What's in Your Java Application

Total Page:16

File Type:pdf, Size:1020Kb

What's in Your Java Application What’s in your Java Application – is it safe? Can you ‘Shift Left’ to mitigate the risks? Nick Coombs, Regional Sales Director Andy Howells, Solutions Architect Win a GoPro Hero Session – scan an application • Full HD 1080p video up to 60 fps • 149° lens • Waterproof to 32 ft with included housing • Up to 2 hours recording • 8 megapixel still photos & time lapse mode 2 5/2/2016 What Projects do you use? • Apache Struts • Apache Mahout • Wildfly • Liferay • Glassfish • Apache Tomee • JBOSS • Websphere • Apache Tomcat 3 5/2/2016 Devops – The intersection of Agile, Lean and ITSM LEAN - Quality Agile - Speed ITSM - Control 4 5/2/2016 The modern software supply chain SUPPLIERS WAREHOUSES MANUFACTURERS FINISHED GOODS Open Source Projects Component Repositories Software Dev Teams Software Applications 3.7 million open source 32 billion download requests 11 million developers 80 - 90% component-based developers last year 160,000 organizations 106 components per Over 1.3M component 90,000 private component 7,600 external suppliers application versions contributed repositories in use used in an average 105,000 open source development organization 24 known security projects vulnerabilities per Once uploaded, always 27 versions of the same application, critical or available 6.2% of requests have component downloaded severe known security 3-4 yearly updates, no way 43% don’t have open vulnerabilities 9 restrictive licenses per to inform development source policies application, critical or teams 34% of downloads have 75% of those with policies severe restrictive licenses Mean-time-to-repair a don’t enforce them security vulnerability: 390 95% rely on inefficient 31% suspect a related 60% don’t have a complete days component distribution (or breach software Bill of Materials “sourcing”) practices. 5 5/2/2016 Your software supply chain is complicated Hundreds of thousands of open source suppliers and millions of components Bouncy Apache HttpClient Castle Struts 2 CVE Date: CVE Date: 11/04/2012 CVE Date: 11/10/2007 07/20/2013 Java Cryptography API Java HTTP implementation Web application framework CVSS v2 Base Score: CVSS v2 Base Score: CVSS v2 Base Score: 10.0 HIGH 5.8 MEDIUM 9.3 HIGH Exploitability: Exploitability: Exploitability: 10.0 8.6 10 Since then Since then Since then 11,236 organizations 29,468 4,076 downloaded it organizations organizations downloaded it downloaded it 214,484 times 3,749,193 times 179,050 times 7 5/2/2016 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database What if manufacturers built cars the way we build software: without supply chain visibility, process and automation … Manufacturers Any part could choose There is Since parts There is can be chosen any supplier no inventory aren’t tracked, no quality even if it is they want for of the parts that it’s control outdated or any given part, were used, or challenging to or consistency known to be regardless of where. issue a recall. from car to car. unsafe. quality. Do you drive one of the following? • Acura • Mazda • Audi • Mercedes-Benz • BMW • Mitsubishi • Chevrolet • Nissan • Chrysler • Pontiac • Dodge • Saab • Ford • Saturn • GMC • Subaru • Honda • Toyota • Infiniti • Volkswagen 9 5/2/2016 Source : http://www.safercar.gov/rs/takata/takatalist.html Partners across the globe are bringing the 787 together 10 5/2/2016 Source : http://dfat.gov.au Time for a SUPPLY CHAIN APPROACH? • Use fewer and better suppliers • Use higher quality parts • Track what is used and where 11 3/19/14 Time for a FRESH APPROACH? Sonatype Nexus Lifecycle • Precisely identify components and risks • Remediate early in development • Automate policy across the SDLC • Manage risk across all applications • Continuously monitor applications for new risks 12 3/19/14 NEXUS & Bamboo at the of Continuous • Faster releases • Increased efficiency • Less unplanned work • Fewer break-fixes • Easier maintenance • And better quality software! Devops Calculator – Reduce your waste 14 5/2/2016 Thank you Does anyone want to scan their applications? .
Recommended publications
  • Oracle Database Mobile Server, Getting Started Guide
    Oracle® Database Mobile Server Getting Started - Quick Guide Release 12.1.0 E58913-01 January 2015 This document provides information for downloading and installing the Database Mobile Server (DMS) and its dependencies. DMS uses a middle-tier application server to communicate between the mobile clients and the backend Oracle database. Different application servers are supported for DMS, including WebLogic Server, Oracle Glassfish, Glassfish Server Open Source Edition and Apache TomEE. 1 Introduction This Getting Started Guide demonstrates the following: ■ How to install DMS on top of Oracle Glassfish server on a Windows platform ■ How to create a publication using Mobile Development Workbench ■ How to publish the Transport Application to the Mobile Server ■ How to run the Transport Application on the client device See the sections below: ■ Section 1.1, "InstalIation of Java Development Kit (JDK)" ■ Section 1.2, "Installation Packages (for Windows)" ■ Section 1.3, "Installation of Oracle Database Express Edition (Oracle Database XE)" ■ Section 1.4, "Installation of Oracle Glassfish" ■ Section 1.5, "Installation of Database Mobile Server (DMS)" ■ Section 1.6, "Installation of Mobile Development Kit (MDK)" The following sections provide information on the transport demo and how to publish the transport application: ■ Section 2, "Transport Demo" ■ Section 3, "Publish the Transport Application" 1.1 InstalIation of Java Development Kit (JDK) You should use a supported JDK for DMS install. For information on what JDK to use, refer to Section 4.3.2 JDK Platform Support in the Installation Guide. To download JDK, go to: http://www.oracle.com/technetwork/java/javase/downloads/index.http Double click on the "Installation Executable" and go through the required installation steps.
    [Show full text]
  • Oracle Database Mobile Server, Installation Guide
    Oracle® Database Mobile Server Installation Guide Release 11.3.0.1 E38579-02 April 2014 Oracle Database Mobile Server Installation Guide Release 11.3.0.1 E38579-02 Copyright © 2013, 2014, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Ear Os Linux Download
    Ear os linux download The last version of eAR OS b was released in and was based on Ubuntu LTS Hardy Heron. Download. eAR OS b i eAR OS is an Ubuntu-based Linux distribution featuring the advanced, yet Screencasts. Download Mirrors, #fragment-3 •. Download eAROS Media Centre from our dedicated server. eAR OS comes with the very advanced and beautifully simple to operate eAR Media Center. Free Download eAR OS b - eAR OS is a state-of-the-art Linux operating system. You can either download eAR OS (free version) from their website or BitTorrent. Like the other Linux distributions, you can burn the ISO file as. It recently released eAR OS Free Edition, a free media center system You can install updates to the Media Center instead of downloading a. For Linux, a small tune is needed at build time. Need to compile libray for bit and for bit too. Then install these libraries to the OS preferred. Linux (Ubuntu, Debian, SuSE, Red Hat and all other distributions supporting Java If you are experiencing problems with starting Docear on Mac OS X, please. Docear is a unique solution to academic literature management, i.e. it helps you Docear recommends papers which are free, in full-text, instantly to download, and Docear is free, open source, available for Windows, Linux, and Mac OS X. You need to download the following software, and get a user license. μPILAR (). EN (includes ISO ). windows: [ download ] [ signature ]. Please select your download package: 32 (For Debian/Ubuntu) 64 (For Debian/Ubuntu) 32 (For Fedora/openSUSE) 64 (For.
    [Show full text]
  • Installation and Administration Guide
    Installation and Administration Guide Version 9.12 October 2016 This document applies to MashZone NextGen Version 9.12 and to all subsequent releases. Specifications contained herein are subject to change and these changes will be reported in subsequent release notes or new editions. Copyright © 2006-2016 Software AG, Darmstadt, Germany and/or Software AG USA Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors. The name Software AG and all Software AG product names are either trademarks or registered trademarks of Software AG and/or Software AG USA Inc. and/or its subsidiaries and/or its affiliates and/or their licensors. Other company and product names mentioned herein may be trademarks of their respective owners. Detailed information on trademarks and patents owned by Software AG and/or its subsidiaries is located at hp://softwareag.com/licenses. Use of this software is subject to adherence to Software AG's licensing conditions and terms. These terms are part of the product documentation, located at hp://softwareag.com/licenses and/or in the root installation directory of the licensed product(s). This software may include portions of third-party products. For third-party copyright notices, license terms, additional rights or restrictions, please refer to "License Texts, Copyright Notices and Disclaimers of Third Party Products". For certain specific third-party license restrictions, please refer to section E of the Legal Notices available under "License Terms and Conditions for Use of Software AG Products / Copyright and Trademark Notices of Software AG Products". These documents are part of the product documentation, located at hp://softwareag.com/licenses and/or in the root installation directory of the licensed product(s).
    [Show full text]
  • P6spy Documentation Release 3.9.2-SNAPSHOT
    p6spy Documentation Release 3.9.2-SNAPSHOT p6spy team Mar 05, 2021 Contents 1 P6Spy Installation 3 1.1 Application Servers:...........................................3 1.2 JBoss/WildFly..............................................4 1.3 Apache Tomcat and Apache TomEE...................................5 1.4 Glassfish and Payara...........................................6 1.5 Weblogic.................................................8 1.6 Generic Instructions...........................................9 2 Integrating P6Spy 11 2.1 Datasource way............................................. 11 2.2 Connection URL way.......................................... 11 2.3 Spring Boot autoconfiguration...................................... 11 2.4 Log file.................................................. 12 3 Configuration and Usage 13 3.1 Properties exposal via JMX....................................... 14 3.2 Command Line Options......................................... 14 3.3 Common Property File Settings..................................... 15 4 Release Notes 27 4.1 3.9.2 (Unreleased)............................................ 27 4.2 3.9.1 (2020-07-26)............................................ 27 4.3 3.9.0 (2020-04-04)............................................ 27 4.4 3.8.7 (2019-12-23)............................................ 27 4.5 3.8.6 (2019-09-24)............................................ 28 4.6 3.8.5 (2019-08-07)............................................ 28 4.7 3.8.4 (2019-08-04)............................................ 28 4.8 3.8.3
    [Show full text]
  • Code Smell Prediction Employing Machine Learning Meets Emerging Java Language Constructs"
    Appendix to the paper "Code smell prediction employing machine learning meets emerging Java language constructs" Hanna Grodzicka, Michał Kawa, Zofia Łakomiak, Arkadiusz Ziobrowski, Lech Madeyski (B) The Appendix includes two tables containing the dataset used in the paper "Code smell prediction employing machine learning meets emerging Java lan- guage constructs". The first table contains information about 792 projects selected for R package reproducer [Madeyski and Kitchenham(2019)]. Projects were the base dataset for cre- ating the dataset used in the study (Table I). The second table contains information about 281 projects filtered by Java version from build tool Maven (Table II) which were directly used in the paper. TABLE I: Base projects used to create the new dataset # Orgasation Project name GitHub link Commit hash Build tool Java version 1 adobe aem-core-wcm- www.github.com/adobe/ 1d1f1d70844c9e07cd694f028e87f85d926aba94 other or lack of unknown components aem-core-wcm-components 2 adobe S3Mock www.github.com/adobe/ 5aa299c2b6d0f0fd00f8d03fda560502270afb82 MAVEN 8 S3Mock 3 alexa alexa-skills- www.github.com/alexa/ bf1e9ccc50d1f3f8408f887f70197ee288fd4bd9 MAVEN 8 kit-sdk-for- alexa-skills-kit-sdk- java for-java 4 alibaba ARouter www.github.com/alibaba/ 93b328569bbdbf75e4aa87f0ecf48c69600591b2 GRADLE unknown ARouter 5 alibaba atlas www.github.com/alibaba/ e8c7b3f1ff14b2a1df64321c6992b796cae7d732 GRADLE unknown atlas 6 alibaba canal www.github.com/alibaba/ 08167c95c767fd3c9879584c0230820a8476a7a7 MAVEN 7 canal 7 alibaba cobar www.github.com/alibaba/
    [Show full text]
  • David Blevins Apache Software Foundation @Dblevins @Apachetomee #Tomee
    Apache TomEE Tomcat with a Kick David Blevins Apache Software Foundation @dblevins @ApacheTomEE #TomEE Monday, August 8, 2011 Apache TomEE: Overview . Pronounced “Tommy” - short for Tomcat EE . Java EE 6 Web Profile certification in progress . Apache TomEE includes support for: - Servlet 3.0 (Apache Tomcat) - JPA 2.0 (Apache OpenJPA) - JSF 2.0 (Apache MyFaces) - CDI 1.0 (Apache OpenWebBeans) - EJB 3.1 (Apache OpenEJB) - JMS (Apache ActiveMQ) - WebServices (Apache CXF) s.apache.org/tomee-retweet Monday, August 8, 2011 Apache TomEE: Overview . Certify, certify, certify . Preserve Tomcat - Leverage Tomcat JNDI, Security, everything - Get more, don’t give up anything - Add extras without removing anything - No need to learn a new server environment . Lightweight - 45MB zip (will be trimmed further) - Runs with no extra memory requirements (default 64MB) . Existing IDE tools for Tomcat should also work with TomEE s.apache.org/tomee-retweet Monday, August 8, 2011 Apache TomEE: Web Profile Certification Status . We can’t say (them’s the rules) . Work being done on Amazon EC2 - t1.micro linux images, lot’s of them - 100 going at once! - Each has 613BM memory max - Though TomEE runs with default memory options (64MB) - It’s quick! . Will be Cloud certified! . Wish we could show you the setup (sorry, also the rules) s.apache.org/tomee-retweet Monday, August 8, 2011 Apache TomEE: History . Predates Java EE 6 Web Profile . Previously known as OpenEJB-Tomcat integration - or ... OpenEJB-OpenJPA-ActiveMQ-CXF-DBCP-Tomcat integration - Tomcat EE (TomEE) is more accurate - Origin of EE 6 “EJBs in .wars” feature, aka Collapsed EAR . Drop-in-war for any Tomcat version: - Tomcat 5.5.x - Tomcat 6.x - Tomcat 7.x .
    [Show full text]
  • Jakartaee and the Road Ahead an ASF View Mark Struberg, RISE Gmbh, Apache Software Foundation, INSO TU Wien
    JakartaEE and the road ahead An ASF View Mark Struberg, RISE GmbH, Apache Software Foundation, INSO TU Wien About me ● Mark Struberg ● 25 years in the industry ● Apache Software Foundation member ● struberg [at] apache.org ● RISE GmbH employee ● TU-Wien / INSO researcher ● Committer / PMC for Apache OpenWebBeans, MyFaces, TomEE, Maven, OpenJPA, BVal, Isis, DeltaSpike, JBoss Arquillian, ... ● Java JCP Expert Group member and spec lead ● MicroProfile Spec Author ● Twitter: @struberg Agenda ● History of JavaEE ● JakartaEE HowTo? ● What about MicroProfile ● ASF involvement ● ASF projects ● Modern EE stacks @ASF JakartaEE The History of JavaEE ● 1998 - First Specifications, e.g. EJB1 ● 2003 - Spring Framework ● 2006 - JavaEE 5 – first really usable release ● 2009 - JavaEE 6 – really usable, CDI-1.0, JAX-RS, Interceptors, etc ● 2013 - JavaEE 7 – 'Cloud Release wannabe' (aka Rohrkrepierer) ● 2017 - JavaEE 8 – JSON-P-1.1, JSON-B-1.0 – smallish updates, mainly community driven JakartaEE ● late 2017 Oracle decided moving JavaEE to OSS ● Hosted by the Eclipse Foundation ● 'Jakarta' mark sponsored by the ASF ● Next planned release is Jakarta EE9 – EE8 plus minor fixes Governance Model of JakartaEE ● Eclipse EE4J project ● Charter not yet final afaik ● 4 committees: – Steering Committee – Specification Committee – Marketing Committee – Enterprise Requirements Committee ● Plus the single projects (specs) -> real work done ● A seat on the Committees requires to be a 'Strategic Member' -> big $$ per year JakartaEE benefits ● OSS governance (sort of...)
    [Show full text]
  • Tomitribe Position Statement
    Tomitribe statement – JCP EC 2016 Tomitribe is a proud supporter of MicroProfile, Java EE and Open Source. Founded in 2013 by David Blevins, Java Champion, former IBM, co-founder of Apache TomEE and previously Apache Geronimo, on the belief that everyone has a role with open source and open standards. Tomitribe is dedicated to supporting both Apache TomEE, the greater Java EE ecosystem and participates on a variety of JCP specifications including: • JSR 365: Contexts and Dependency Injection for JavaTM 2.0 • JSR 366: Java Platform, Enterprise Edition 8 (Java EE 8) Specification • JSR 367: JavaTM API for JSON Binding (JSON-B) • JSR 368: JavaTM Message Service 2.1 • JSR 375: JavaTM EE Security API Awards • Tomitribe’s Roberto Cortez & Cesar Hernandez, Java Champions 2016 • Tomitribe’s Otavio Santana & David Blevins, Java Champions 2015 • Nominated for JCP Member/Participant of the Year 2015, David Blevins • Winner Oracle Duke’s Choice 2014 Award, Apache TomEE • ZeroTurnaround Geek’s Choice Award 2014, Apache TomEE Focus on JCP Progress Towards Openness Tomitribe is deeply passionate about the JCP, its importance to our industry and the opportunity and responsibility we have as participants and users towards its and our continued success. The Java Community Process is a unique gem and lynchpin of the Java industry. No Tom itribe JCP Mission Statement 2016 – David Blevins - 1 of 3 (310) 527-7676 | [email protected] www.tomitribe.com other language or platform has managed to create for itself such a wide set of complementary and interlocking APIs with a diverse set of implementations. The standards process allows for enough stability that higher level APIs such as JAX-RS can be created while the base APIs such as Servlets can still change and mutate.
    [Show full text]
  • Apache Tomcat to Apache Tomee in 1 to N Steps
    Andy Gumbrecht @AndyGeeDe http://www.tomitribe.com Apache Tomcat to Apache TomEE in 1 to n Steps A guide on opening the doorway to Java EE in Apache TomEE from an Apache Tomcat perspective Project - https://github.com/tomitribe/tomcat_to_tomee Is Apache TomEE for Me? Kathryn Janeway Jonathan Archer James T. Kirk Jean-Luc Picard Benjamin Sisko You Yourchoice The new guy who is going to die (The one in the red top!) A Look at Apache Tomcat A legacy application, maybe yours... JSP The scary stuff everyone said was the next big thing... Servlets Apache Tomcat Stolen from Roberto Cortez! A Look at Apache TomEE A legacy application, maybe yours... JSP CDI JSF JPA Servlets JMA EJB JTA JSTL JAAS JACC Servlets Apache Tomcat Maintaining 'Status quo' - EE6 Latin phrase meaning 'the existing state of affairs' ● JSR-245 JavaServer Pages 2.2 ● JSR-322 Java EE Connector ● JSR-344 JavaServer Faces 2.2 Architecture 1.7 ● JSR-341 Expression Language 3.0 ● JSR-338 Java Persistence 2.1 ● JSR-339 The Java API for RESTful ● JSR-907 Java Transaction API 1.2 Web Services 2.0 ● JSR-343 Java Message Service 2.0 ● JSR-340 Java Servlet 3.1 ● JSR-349 Bean Validation 1.1 ● JSR-250 Common Annotations for ● EJB Entity Beans Support Java Platform 1.1 ● JAX-RPC 1.1 Support ● JSR-318 Interceptors 1.1 ● JAXR 1.0 ● JSR 346 Contexts and Dependency ● Java EE Application Deployment 1.2 Injection for Java EE 1.1 ● JSR-345 Enterprise JavaBeans 3.2 Moving on, 'Tempora mutantur' Latin phrase meaning 'times change' ● JSR-245 JavaServer Pages 2.2 ● JSR-322 Java EE Connector ● JSR-344
    [Show full text]
  • Tools Vendor Datasheet Jakarta EE 9
    Tools Vendor Datasheet Jakarta EE 9 Namespace migration challenge & opportunity Copyright © 2020, Eclipse Foundation, Inc. | This work is licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0) | v2020-07 Tools Vendor Datasheet: Jakarta EE 9 Background Release 9 of Jakarta EE marks a critical phase in the over 30 individual specifications developed over evolution from Java EE to the open, cloud native 20 years including Servlets, JAX-RS and JPA. Many platform needed for the future. The milestone implementations have completed or are soon release provides early access to the major completing the migration. Tool vendors, IDEs and namespace changes (javax.* to jakarta.*). While cloud providers need to start now to migrate, in being functionally and architecturally equivalent preparation for the expected Fall 2020 full release. to Jakarta EE 8, this is a breaking change affecting Key elements of milestone release: > javax.* namespace no longer valid; need to use jakarta.* > Implementations are available for tools vendors to begin development and testing, including ● API jars are available for all components ● Initial component implementations for all APIs ● Initial TCKs for all APIs ● Draft Full Platform and Web Profile specifications > Available on JDK 8; JDK 11 support planned post GA Tools vendors that take advantage of the Jakarta EE 9 release to do the namespace change will have the lowest cost/time migration possible. Tools vendors that wait until Jakarta EE 10 will need to cope with new features, enhancements and other major changes in addition to namespace migration. Implementation Roadmaps The following components, and implementations are just a few currently leveraging the preview release.
    [Show full text]
  • JAX-WS @Webservice Example Example Simple-Webservice Can Be Browsed At
    JAX-WS @WebService example Example simple-webservice can be browsed at https://github.com/apache/tomee/tree/master/examples/simple-webservice Creating Web Services with JAX-WS is quite easy. Little has to be done aside from annotating a class with @WebService. For the purposes of this example we will also annotate our component with @Stateless which takes some of the configuration out of the process and gives us some nice options such as transactions and security. @WebService The following is all that is required. No external xml files are needed. This class placed in a jar or war and deployed into a compliant Java EE server like TomEE is enough to have the Calculator class discovered and deployed and the webservice online. import javax.ejb.Stateless; import javax.jws.WebService; @Stateless @WebService( portName = "CalculatorPort", serviceName = "CalculatorService", targetNamespace = "http://superbiz.org/wsdl", endpointInterface = "org.superbiz.calculator.ws.CalculatorWs") public class Calculator implements CalculatorWs { public int sum(int add1, int add2) { return add1 + add2; } public int multiply(int mul1, int mul2) { return mul1 * mul2; } } @WebService Endpoint Interface Having an endpoint interface is not required, but it can make testing and using the web service from other Java clients far easier. 1 import javax.jws.WebService; @WebService(targetNamespace = "http://superbiz.org/wsdl") public interface CalculatorWs { public int sum(int add1, int add2); public int multiply(int mul1, int mul2); } Calculator WSDL The wsdl for our service
    [Show full text]