java
Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.
70 articles
SpotBugs Security Detectors for Java: A Practical Guide
SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real results from it.
Maven Plugin Verification: Trusting Your Build-Time Dependencies
Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.
Java Maven and Gradle Dependency Security
How to secure your Java dependency chain across Maven and Gradle builds, from signature verification to repository management.
Maven Dependency Resolution Attacks: Exploiting Java's Build System
Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.
The Log4Shell Response Playbook Six Months In
Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security teams should keep as muscle memory.
Maven Central Supply Chain Risks: Securing the Java Ecosystem
Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust model and dependency resolution create supply chain risks that Java teams must understand.
Spring4Shell (CVE-2022-22965) Response Analysis
A 2010-era bypass resurfaced as CVE-2022-22965 on Spring Framework for JDK 9+. Here is how the disclosure, patch, and industry response actually went.
Spring4Shell vs Log4Shell: Comparing Two Java Framework Crises
Both scored 9.8 on CVSS. Both affected millions of Java applications. But Log4Shell and Spring4Shell had fundamentally different blast radii. Here's a direct comparison.
Spring4Shell (CVE-2022-22965): Remote Code Execution in Spring Framework
A critical RCE in Spring Framework sent Java teams scrambling. While less catastrophic than Log4Shell, Spring4Shell exposed dangerous assumptions about ClassLoader access in Java web applications.
Log4Shell Vulnerability (CVE-2021-44228) Explained
The most critical vulnerability in a decade dropped on a Friday. Log4Shell affects virtually every Java application and is trivial to exploit. Here's what happened.