Malicious Developers and Enterprise Java Rootkits
This technical talk will examine some of the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk.
A long technical paper and an Eclipse project with all the code examples is available.
Jeff Williams is the founder and CEO of Aspect Security, specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). He has made extensive contributions to the application security community through OWASP, including writing the Top Ten, WebGoat, Secure Software Contract Annex, Enterprise Security API, OWASP Risk Rating Methodology, and starting the worldwide local chapters program. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.