Download Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts
no text concepts found
Transcript 
1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Making the Future Secure
with Java
Milton Smith
Sr. Principal Security PM
2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Email: [email protected]
Twitter: @spoofzu
Notice
"THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT
DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT
BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER
ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON
IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING
OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS
REMAINS AT THE SOLE DISCRETION OF ORACLE."
3
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Who Am I?
Milton Smith
§  Responsible for Java platform security: vision/features, internal/
external communications – everything Java except EE.
§  20+ years of programming and specializing in security.
§  Recently joined Oracle. My last employer was Yahoo! where I
managed security for the User Data Analytics group.
4
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Program Agenda
§  Security Industry Challenges
§  Risk Choices & Methodologies
§  Security at Oracle
§  Ongoing Security Improvements
§  Call to Action
5
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Industry &
Challenges
6
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Level of Security Challenge -- Java Ecosystem
§  97 percent of enterprise desktops run Java
§  1 billion Java downloads each year
§  9 million developers worldwide
§  More than 3 billion devices are powered by Java technology
7
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Threat Landscape
A lot has changed since 1995 when Java started…
§  What we saw in the past…
–  Data Destruction – Format Drive
–  Denial of Service – Computer Lockout
–  Hacktivism – Computer attacks to accomplish an agenda (e.g.,
defacement)
8
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Threat Landscape
The landscape has changed…
§  What we see today…
–  WORMS and Bot Nets
–  State or Terrorist Sponsored Cyber Warfare – Stuxnet
–  Intellectual Property Theft -- Fuzzy Offshore Borders
–  Virtual Currency Manipulation – MMORPGs like World of Warcraft, Bitcoin
§  This is the world we live in today…
9
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Strong Security is the Expectation…
Challenges across entire industry…
§  Security concerns across industry are elevated
§  Strong vs. poor security is difficult for users to evaluate
10
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Risk Choices &
Methodologies
11
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Risk vs. Reward
WE MAKE CHOICES BASED UPON
RISK EVERY DAY.
THIS IS HOW HUMANS FUNCTION.
12
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Everyday Risk Choices
Do animals drink at the water hole? Animals with big teeth may be
present.
–  Answer = Depends, how thirsty.
13
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Everyday Risk Choices
Everyone treated by a doctor – has or will die. Success rate is precisely
zero. Do we continue to visit doctors?
–  Answer = Yes!
14
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Everyday Risk Choices
Life is risky. Do we visit the doctor every day for a check-up?
–  Answer = No!
15
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Risk Based Security Methodology
§  Many of us today use informal risk based approaches.
§  Some don’t take the next steps – formalize thoughts about risk and
how it governs our behavior.
§  Risk methodology helps drive security decisions
16
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Risk Applied to a Web Application
Example
§  A few simple considerations…
–  How important is the application to the business? Dollar loss, compliance
requirements, inconvenience?
–  Internet facing application interfaces (web, web data services)?
–  Any unauthenticated application interfaces (no logon)?
–  and many more factors…
§  Platforms have different concerns but the approach is similar
17
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security at Oracle
18
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Why is Security Important to Oracle?
§  Oracle products are built upon Java technology
…just like your products
§  Oracle product teams demand strong security
…just like you
§  Confidentiality, Integrity, and Availability is important to the Java
ecosystem
19
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Policies - Communications
§  Security news & alerts are communicated via several channels
–  Security Alerts (RSS feed)
–  Critical Patch Update Advisories
–  eBlasts
–  Blogs (like blogs.oracle.com/security)
§  Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html
20
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Policies - Communications
Why we don’t respond to published reports of alleged security
vulnerabilities in Oracle products…
§  Correcting and corroborating articles provides more information to attackers
§  Many reports don’t provide the required engineering details for proper
verification. Technical details like: pre-conditions, impacts, remediation/
mitigation details are light or non-existent.
§  Responding to individual reports forces communities to track vulnerabilities in
social media sites – not good.
21
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Policies - Communications
Why we don’t respond to published reports of alleged security
vulnerabilities in Oracle products…
§  The information Oracle releases is: precise, actionable, and everyone
receives it at the same time.
§  Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html
22
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Throughout Development Cycle
Concept/
Requirements
Early Security Influence
High Risk?
•  Yes = intensive
review
•  No = light review
23
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Analysis/
Design
Security Design
Review
Sec Policy
Compliance?
Coding
• 
• 
Peer Review
Manual
Assessment
Security Throughout Development Cycle
Testing
Delivery
Review Test Cases/
Testing
Static Analysis
Fuzzing
Java.com
Outside of Development
Cycle
• 
• 
• 
• 
GPS
Ethical Hacking
Security Training
Tech Talks
…and more.
Policy: http://www.oracle.com/us/support/assurance/development/index.html
24
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Policies - Remediation
§  Common Vulnerability Scoring System (CVSS)
§  Vulnerabilities reviewed and CVSS score assigned
§  Remediation strongly influenced by CVSS score
Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring
25
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Security Policies - Remediation
§  Critical Patch Updates (CPU) - Security patches
–  October, February, June for Java Platform Group
–  Java Platform Group Different from Oracle CPU
–  Emergency releases are rare but do happen
§ 
26
Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Java CPU
Planned
7 GA
7u1
CPU
7u2
7u3
Non CPU CPU
7u4
7u5
Non CPU CPU
Every 4 months
Rules for Java CPUs
§ Main release for security vulnerabilities
§ Covers all families (7, 6, 5.0, 1.4.2)
§ CPU release triggers Auto-update
§ Dates published 12 months in advance
§ Security Alerts are released as necessary
§ Based off the previous (non-CPU) release
§ Released simultaneously on java.com and OTN
27
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
7u6
7u7
7u9
Non CPU SecAlert* CPU
Securing Platforms vs. Securing Applications
§  Different tools for securing platforms and applications
–  Platform development often precedes tool features
§  Platforms support a wider range of use cases
§  Different techniques for securing platforms and applications
28
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Ongoing Security
Improvements
29
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Theme, Preventing Drive-By Exploitation
§  Defense against phishing attacks
§  “Best used before” date for JRE security
–  Largest number of exploits are against out-of-date software
30
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Theme, Preventing Drive-By Exploitation
§  Easier to disable Java in Browser (Applet/JNLP)
§  Encourage users to uninstall older JREs
–  First step, as an applet
–  Next step, component of the installer
31
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Theme, JRE Security Hardening
§  Configurable IT security policy
§  More frequent security feeds (blacklists, security baseline updates)
32
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Call to Action
33
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Vulnerability Reporting &
Security Feature Suggestions
§  Report Vulnerabilities
–  Support Customers: My Oracle Support
–  Others: [email protected]
Policy:
http://www.oracle.com/us/support/assurance/reporting/index.html
§  Suggest New Features
–  http://bugreport.sun.com/bugreport/
34
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Upcoming CPU’s
§  October 16, 2012 - (7u9, 6u37)
§  February 19, 2013 - (7u11, 6u39)
§  June 18, 2013 - (7u13, 6u41)
§  CPUs
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
35
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Help Us Keep You Secure
§  To end users…
–  Keep your JRE’s updated (auto-update on)
–  Practice defense-in-depth: virus scanner, firewall
§  To developers…
–  Support current JRE’s so end users can upgrade
–  Sign your applications (use timestamp)
–  Validate untrusted data (input/output validation)
–  Follow Open Web Application Security Project, https://www.owasp.org/
–  CON4786 - “Secure Coding Guidelines for the Java Programming
Language” Wednesday, Oct 3, 3:00 PM - 4:00 PM - Hilton San Francisco Yosemite A/B/C
36
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
oracle.com/javajobs
37
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
38
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Related documents
Slide 1
Slide 1
Course flyer
Course flyer
IMS Maxims – Multinational Company
IMS Maxims – Multinational Company
Free* Oracle Training: Learn to Teach Java, a Top Programming
Free* Oracle Training: Learn to Teach Java, a Top Programming
Oracle vs. SQL Server
Oracle vs. SQL Server
Database Design and Programming with SQL
Database Design and Programming with SQL
Jerry Held
Jerry Held
Finding Petroleum - Oracle
Finding Petroleum - Oracle
Downlaod File
Downlaod File
Oracle Enterprise Manager
Oracle Enterprise Manager
CSCI 3720 Database Systems
CSCI 3720 Database Systems
Java and the IoT Big Bang
Java and the IoT Big Bang