Скачать с ютуб Unsafe Deserialization Attacks In Java - Apostolos Giannakidis в хорошем качестве

Unsafe Deserialization Attacks In Java - Apostolos Giannakidis

Slides can be downloaded here: https://www.owasp.org/images/a/a3/OWA... This talk was presented at OWASP London Chapter Meeting on 18-May-2017. A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution. Speaker Bio: Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.