Security in the Open Source ecosystem has continuously grown in priority on the global agenda in the technology industry. Many practices like DevOps, Agile, and standards like ISO/IEC 27001 have contributed over the years to adopt and promote a shift-left approach to security in the industry. The Java ecosystem is not separate from the opportunities and challenges the industry has overcome regarding security. In late 2022 I started to deliver the session “Deep diving into Java ecosystem security with OpenSource and DevSecOps” which provide a glance at how Open Source and the Java ecosystem correlate during the lifecycle of common...
Read More
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
