OpenJDK 17 makes the interesting decision that deprecating a security feature (the SecurityManager) can actually improve security of the platform and running applications, setting out a path to remove a feature that hasn’t been used and hasn’t blocked many exploits.

By understanding how modern Java applications are attacked, teams can better position the right defense in the right location. This talk will analyze exploits against several Java applications that were used in the wild and lay out the proper security defense that can defend applications from being breached, not only to mitigate these threats but also to address time spent on internal security audits.

We will lay out where different defense and monitoring capabilities have gone, including new features such as serialization filters and OpenJDK Flight Recorder.

Speaker Bio: Erik Costlow is a software security expert with extensive Java experience. He manages developer relations for Contrast Security and public Community Edition. Contrast weaves sensors into applications, giving them the ability to detect security threats based on how the application uses its data. Erik was the principal product manager in Oracle focused on security of Java 8, joining at the height of hacks and departing after a two-year absence of zero-day vulnerabilities. During that time, he learned the details of Java at both a corporate/commercial and community level. He also assisted Turbonomic's product management team in the data center/cloud performance automation. Erik also lead product management for Fortify static code analyzer, a tool that helps developers find and fix vulnerabilities in custom source code. Erik has also published several developer courses through Packt Publishing on data analysis, statistics, and cryptography.