“It won't happen to me.” That's what #Tesla, #Atlassian & #Fortnite thought. Jonathan Vila walks you through the top hidden flaws still lurking in production code & how to shut the doors before it's too late.
Get smart: https://javapro.io/2025/04/29/top-security-flaws-injections/
Together with our Staff Software Engineer, Łukasz Rola, we’re launching a brand-new series: Java Crack of the Week! 💻
👉 https://youtube.com/watch?v=JhH9N6pWPKk
In the first episode, Łukasz dives deep into one of the most critical Java vulnerabilities ever discovered: Log4Shell (CVE-2021-44228).
🎉 This series is part of our celebration of Java’s 30th anniversary - make sure to subscribe to our YouTube channel for weekly episodes!
#Java #Java30 #Java30withSoftwareMill #Log4Shell #JavaCrackOfTheWeek
A single misstep in your infrastructure code can open the door to attacks. At #JCON2025, Jonathan Vila reveals the most common IaC security mistakes — and how to avoid them. Join his session!
Want to prep early? Check his #JAVAPRO article: https://javapro.io/2025/04/29/top-security-flaws-injections/
A single SQL line. One careless deserialization. That's all it takes to bring your app down. @vilojona shows how even top teams get it wrong and how you can get it right. Ready to patch your blind spots?
Start here: https://javapro.io/2025/04/29/top-security-flaws-injections/
Think your code is safe? So did #Tesla. 🚨 @vilojona uncovers the top attacks hiding in your code right now - and how a single mistake can cost you everything.
Can you spot the flaw before hackers do?
Find out: https://javapro.io/2025/04/29/top-security-flaws-injections/
New Open-Source Tool Spotlight 🚨🚨🚨
Log4Shell still has lingering risks. If you're managing Java apps, check out Log4shell-detector on GitHub. It scans for vulnerable Log4j usage with minimal setup. Regular audits help keep your environment secure. #cybersecurity #Log4Shell
🔗 Project link on #GitHub 👉 https://github.com/Neo23x0/log4shell-detector
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴☠️
Was just reminded that #Log4Shell was 2021. Still feels like it was just a few weeks ago. Probably because we haven't learned any lessons from it.
En esta fecha, los investigadores de seguridad de Alibaba encuentran evidencia de que Log4Shell se encontraba publicando un código de explotación en GitHub.
Afectó en forma drástica a los servidores de Minecraft, Cloudflare, Microsoft y Amazon.
#retrocomputingmx #Log4Shell #vulnerability
El 9 de diciembre de 2021, se anuncia la vulnerabilidad de seguridad log4j, conocida como Log4Shell, es una vulnerabilidad crítica detectada en la biblioteca de registro de Apache Log4j, detectada por primera vez en noviembre 24.
Esta, otorga a los hackers acceso y control total de los dispositivos que ejecutan versiones de Apache sin el parche de seguridad.
Today, 3 years ago, the (in)famous #Log4Shell vulnerability was made public.
This was an arbitrary code execution in the popular #Java logging framework #Log4j, the issue was there since 2013. This vulnerability received a CVSS severity rating of 10, the highest possible.
Hope you all updated your billions of devices running Java out there already!
Excited and honored to speak at the #Japan #Java User Group this November! I’ll dive into the story behind #Log4j and #Log4shell, explore the impacts on the open-source ecosystem, and discuss lessons learned since. Looking forward! #OpenSource #JUG
https://www.java-users.jp/post/night202411/
Log4Shell still sends shivers down my spine! 😱
This #RedHat article revisits the infamous vulnerability and reminds us about software supply chain security, vulnerability management, and the power of open source collaboration. #Log4Shell #cybersecurity #redhat
3 years after #Log4shell, Bloomberg wrote "Hackers are still targeting #Log4j". The article is not mindblowing, but it reminds us to update! https://www.bloomberg.com/news/newsletters/2024-10-09/hackers-still-target-outdated-software-flaw-despite-available-fixes?srnd=undefined
Three years after #Log4Shell caused a significant security issue, we still struggle with insecure dependencies and injection problems, join @brianverm, Jonathan Vila, Erik Costlow, and @frankdelporte for a lively #Java #OpenJDK and beyond discussion on Foojay :foojay:!
https://foojay.io/today/foojay-podcast-58-how-java-developers-can-secure-their-code/
Hat jemand schonmal im #informatikEdu Unterricht #Log4Shell #xz oder den #crowdstrike Bug besprochen? Wollte das im 11er Kurs thematisieren und frage mich, ob jemand dazu S-taugliches Material oder Ideen hat!
#FediLZ
One of the best features of @jakartaee is separation of #API and implementation. Your applications are more flexible and secure without a need to recompile. Most Jakarta EE implementations are either unaffected by #Log4Shell or their runtimes were quickly patched without recompilation. This separation also keeps applications small and clean.
Unfortunately #SpringBoot doesn't do this and any SpringBoot application has to have 100s of dependencies minimum making apps hard to upgrade.
https://dev.to/bitbybit/how-an-overlook-in-development-wreaked-havoc-on-the-internet-the-log4shell-vulnerability-2924 - how #Log4Shell works, and how it's easy for a design fail to shoot developers in the foot. Nice exploration https://linkedin.com/in/jaiyank-saxena.
Никому нельзя верить на слово в безопасной разработке, или Еще один взгляд на SCA
Захожу я в английский клуб. Там все сидят, выпивают, в карты играют. Смотрю — в очко режутся! Сел я за столик, взял карты. У меня — 18. А мой соперник говорит: «20». Я ему: «Покажи!». А он мне: «Мы, джентльмены, верим друг другу на слово». И вот тут-то мне поперло . Но в ИБ так не пройдет, нужна здоровая паранойя. Поэтому на слово не верим никому, в том числе и инструментам анализа, а сначала их проверяем. Читать
https://habr.com/ru/companies/pt/articles/808023/
#cybersecurity #безопасная_разработка #анализатор_кода #ci/cd #sca #уязвимость #appsec #приложения #log4shell #devsecops
Nächste Woche bin ich bei der #Linux Usergroup in Augsburg zu Gast. Ich freue mich schon sehr!
Thema: "Mehr arbeiten, aber dafür umsonst. Wie geht das?" ;-)
Wer nicht weiß wie kostenfrei arbeiten geht, oder mehr über #OpenSource, #Log4j oder das #Log4shell aftermath wissen will - willkommen.
Danke für die Einladung, @lug_augsburg
https://www.luga.de/static/LIT-2024/talks/lasst_uns_kostenlos_arbeiten/
Ich habe mein Dokument zur Gründung des @sovtechfund
mit allen Referenzen mal auf meine Webseite gestellt
https://thomasfricke.de/pages/fossec/
Stand 2021. Aber da fehlt für die Reaktionen auf #log4shell #xz oder andere Katastrophen nur noch
1. Inzidenz Unterstützung für das betroffenene Projekt.
2. Forensik und Aufräumen
3. Langfristige Identifizierung von "wichtigen" #FOSS Projekten unter Stress
Die Phasen schreibe ich noch sauber auf.
