[Owasp-hartford] Connecticut Java Users Group: Protecting Java Code - Going Beyond Simple Obfuscation

[McGovern, James F. (eBusiness)]

When: Tuesday, November 10, 2009 5:00 PM-7:00 PM (GMT-05:00) Eastern Time (US & Canada).
Where: Computer Sciences Corporation (CSC), East Hartford

*~*~*~*~*~*~*~*~*~*

While Java offers an efficient framework for developing and deploying enterprise and Web 2.0 server or client-side applications, it also presents many risks. Attacks against Java applications come from many different angles- whether a rogue employee steals class files containing critical Intellectual Property, a thick client is reverse engineered to gain visibility into business logic, or a high price tag application is pirated. These attacks are unfortunately easy to carry out given that Java, being an interpreted language, contains program metadata which reveals the inner workings of the application. In fact, attackers often use attack tools such as decompilers capable of producing source code from the metadata contained Java class files. Fortunately, there are numerous ways to foil reverse engineering and tampering of Java applications including: control flow obfuscation, class encryption, symbol renaming, code signing, and string encryption. However, because of other vulnerabilities such as Java runtime hijacking, some of these protection technologies are easy to circumvent. Therefore when considering homegrown or commercial solutions it is important to have a holistic perspective on security. In this session we will consider and demonstrate some of the vulnerabilities and risks along with protection tools to pack when assessing or implementing Java application security. 

Speaker

Mike Dulaney joined Arxan in 2003 as a Software Security Analyst participating in and managing government-funded research studies to measure the effectiveness of software security. Mr. Dulaney is now part of Arxan's commercial sales organization as a Security Architect, a role in which he has contributed in a variety of functional areas- Technical Pre-Sales, Technical Support, Management, Rapid Prototyping, Security Forensics, and Threat Modeling. Previously, Mr. Dulaney performed application security research and development throughout all stages of the application security lifecycle. He also helped bootstrap Arxan's GuardIT product by designing and developing product security features and playing a key role in enabling support for new compilers and languages. Mr. Dulaney earned a B.S. in Computer Science from Purdue University before completing post-graduate coursework at Purdue's Krannert Graduate School of Management. 




************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-hartford/attachments/20091030/550d188a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/calendar
Size: 4201 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20091030/550d188a/attachment.bin