Security on Sven Ruppert

Password Security: Why Hashing is Essential

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 29 Aug 2025 14:53:27 +0000

Password security is an often underestimated but critical topic in software development. Databases containing millions of user logins are repeatedly compromised - and shockingly, often, it turns out that passwords have been stored in plain text. This gives attackers direct access to sensitive account data and opens the door to identity theft, account takeovers and other attacks.

Short links, clear architecture – A URL shortener in Core Java

sven.ruppert@gmail.com (Sven Ruppert) — Tue, 10 Jun 2025 22:43:22 +0000

A URL shortener seems harmless – but if implemented incorrectly, it opens the door to phishing, enumeration, and data leakage. In this first part, I’ll explore the theoretical and security-relevant fundamentals of a URL shortener in Java – without any frameworks, but with a focus on entropy, collision tolerance, rate limiting, validity logic, and digital responsibility. The second part covers the complete implementation: modular, transparent, and as secure as possible.

DNS Attacks - Explained

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 07 Apr 2025 08:48:06 +0000

1. Getting started – trust in everyday internet life
#

Anyone who enters a web address like “www.example.de” into the browser expects a familiar website to appear within seconds. Whether in the home office, at the university, or in the data center, access to online services is now a given. The underlying technical processes are invisible to most users; even in IT practice, they are often taken for granted. One of these invisible processes is name resolution by the Domain Name System (DNS).

Java Cryptography Architecture (JCA) - An Overview

sven.ruppert@gmail.com (Sven Ruppert) — Thu, 03 Apr 2025 12:22:30 +0000

The Java Cryptography Architecture (JCA) is an essential framework within the Java platform that provides developers with a flexible and extensible interface for cryptographic operations. It is a central component of the Java Security API and enables platform-independent implementation of security-critical functions.

Cache Poisoning Attacks on Dependency Management Systems like Maven

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 13 Nov 2024 14:15:16 +0000

Cache poisoning on Maven Caches is a specific attack that targets how Maven Caches manages packages and dependencies in a software development process. It’s essential to understand how Maven works before we look at the details of cache poisoning.

CWE-778: Lack of control over error reporting in Java

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 18 Oct 2024 14:07:20 +0000

Learn how inadequate control over error reporting leads to security vulnerabilities and how to prevent them in Java applications.
#

Safely handling error reports is a central aspect of software development, especially in safety-critical applications. CWE-778 describes a vulnerability caused by inadequate control over error reports. This post will analyse the risks associated with CWE-778 and show how developers can implement safe error-handling practices to avoid such vulnerabilities in Java programs.

Understanding TOCTOU (Time-of-Check to Time-of-Use) in the Context of CWE-377

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 07 Oct 2024 17:57:36 +0000

Building on the discussion of “CWE-377: Insecure Temporary File”, it’s essential to delve deeper into one of the most insidious vulnerabilities that can arise in this context—TOCTOU (Time-of-Check to Time-of-Use) race conditions. TOCTOU vulnerabilities occur when there is a time gap between verifying a resource (such as a file) and its subsequent use. Malicious actors can exploit this gap, especially in temporary file scenarios, leading to serious security breaches. This follow-up article will explore how TOCTOU conditions manifest in software, particularly in managing temporary files, and discuss strategies to mitigate these risks to ensure robust and secure application development.

CWE-1123: Excessive Use of Self-Modifying Code for Java Developers

sven.ruppert@gmail.com (Sven Ruppert) — Thu, 12 Sep 2024 11:19:19 +0000

Self-modifying code refers to a type of code that alters its own instructions while it is executing. While this practice can offer certain advantages, such as optimisation and adaptability, it is generally discouraged due to the significant risks and challenges it introduces. For Java developers, using self-modifying code is particularly problematic because it undermines the codebase’s predictability, readability, and maintainability, and Java as a language does not natively support self-modification of its code.

CWE-377 - Insecure Temporary File in Java

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 21 Aug 2024 13:17:12 +0000

In software development, temporary files are often used to store data temporarily during an application’s execution. These files may contain sensitive information or be used to hold data that must be processed or passed between different parts of a program. However, if these temporary files are not managed securely, they can introduce vulnerabilities that may compromise the application’s confidentiality, integrity, or availability. The Common Weakness Enumeration (CWE) identified CWE-377 as a weakness associated with the insecure creation and management of temporary files.

Securing Apache Maven: Understanding Cache-Related Risks

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 27 May 2024 14:30:22 +0000

What is a Package Manager - Bird-Eye View
#

A package manager is a tool or system in software development designed to simplify the process of installing, updating, configuring, and removing software packages on a computer system. It automates managing dependencies and resolving conflicts between different software components, making it easier for developers to work with various libraries, frameworks, and tools within their projects.

CWE-416: Use After Free Vulnerabilities in Java

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 17 May 2024 12:17:30 +0000

CWE-416: Use After Free
#

Use After Free (UAF) is a vulnerability that occurs when a program continues to use a pointer after it has been freed. This can lead to undefined behaviour, including crashes, data corruption, and security vulnerabilities. The problem arises because the memory referenced by the pointer may be reallocated for other purposes, potentially allowing attackers to exploit the situation.

CWE-787 - The Bird-Eye View for Java Developers

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 15 May 2024 12:19:10 +0000

The term “CWE-787: Out-of-bounds Write " likely refers to a specific security vulnerability or error in software systems. Let’s break down what it means:

Out-of-bounds Write : This is a type of vulnerability where a program writes data outside the boundaries of pre-allocated fixed-length buffers. This can corrupt data, crash the program, or lead to the execution of malicious code.

The Hidden Dangers of Bidirectional Characters

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 19 Apr 2024 10:12:58 +0000

Discover the hidden dangers of bidirectional control characters! We dive deep into how these essential text-rendering tools can be exploited to manipulate digital environments. Learn about their security risks, from filename spoofing to deceptive URLs, and uncover the crucial strategies to safeguard against these subtle yet potent threats. Understand how to protect your systems in a multilingual world. Join to ensure your digital security is not left to chance!

Audio Steganography In More Detail

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 17 Apr 2024 19:22:20 +0000

Audio steganography is a technique for hiding information within an audio file so that only the intended recipient knows of the hidden data’s existence. This method belongs to the broader field of steganography, which itself is a subset of security systems and comes from the Greek words “steganos,” meaning covered, and “graphein,” meaning writing.

Beyond the Visible: Exploring the Depths of Steganography

sven.ruppert@gmail.com (Sven Ruppert) — Thu, 28 Mar 2024 14:02:52 +0000

Steganography is the practice of concealing a message, file, image, or video within another message, file, image, or video. Unlike cryptography, which focuses on making a message unreadable to unauthorised parties, steganography aims to hide the message’s existence. The word “steganography " is derived from the Greek words “steganos ,” meaning “covered ,” and “graphein ,” meaning “to write.”

Serialising in Java - Birds Eye View

sven.ruppert@gmail.com (Sven Ruppert) — Sun, 11 Feb 2024 13:46:53 +0000

Serialisation in Java is implemented to convert the state of an object into a byte stream, which can be quickly persisted to a file or sent over a network. This process is essential for persisting object data, supporting network communication, and facilitating sharing of objects between different parts of a distributed system.

Contextual Analysis in Cybersecurity

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 05 Feb 2024 17:49:29 +0000

Contextual analysis in cybersecurity involves examining events, actions, or data within the broader context of an organization’s IT environment. It is a critical component of a proactive cybersecurity strategy, aiming to understand the significance of activities by considering various factors surrounding them. This multifaceted approach helps cybersecurity professionals identify and respond to potential threats effectively.

What is a Common Weakness Enumeration - CWE

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 10 Jan 2024 17:24:15 +0000

CWE stands for Common Weakness Enumeration. It is a community-developed list of software and hardware weakness types that can serve as a common language for describing, sharing, and identifying security vulnerabilities in software systems. CWE aims to provide a standardized way of identifying and categorizing vulnerabilities, making it easier for software developers, testers, and security professionals to discuss and address security issues.

Secure Coding Practices - Input Validation

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 13 Dec 2023 07:52:24 +0000

What is - Input Validation?
#

Input validation is a process used to ensure that the data provided to a system or application meets specific criteria or constraints before it is accepted and processed. The primary goal of input validation is to improve the reliability and security of a system by preventing invalid or malicious data from causing errors or compromising the system’s integrity.

Infection Method - Sub-Domain Takeover

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 20 Nov 2023 14:37:29 +0000

A subdomain takeover is a type of cybersecurity vulnerability that occurs when an attacker gains control of a subdomain of a website or a domain name. This attack can seriously affect the security and functionality of a web application or website. In this explanation, we’ll look at subdomain takeovers, how they work, the risks they pose, and how to prevent them.

Infection Method - Domain Takeover

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 10 Nov 2023 10:31:25 +0000

In this post, we will look at another method of infection. These are the attack vectors via domain names. This can happen at the main level, i.e. the domain itself, or via sub-domains. But what exactly is a domain takeover attack?

EclipseStore High-Performance-Serializer

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 09 Oct 2023 21:59:54 +0000

I will introduce you to the serializer from the EclipseStore project and show you how to use it to take advantage of a new type of serialization.

Since I learned Java over 20 years ago, I wanted to have a simple solution to serialize Java-Object-Graphs, but without the serialization security and performance issues Java brought us. It should be doable like the following…

TDD and the impact on security

sven.ruppert@gmail.com (Sven Ruppert) — Wed, 28 Jun 2023 16:08:03 +0000

Test-driven development (TDD) is a software development approach that prioritizes writing automated tests while creating the actual code. There follows a cycle of writing a failed test, writing the code to make the test pass, and then refactoring the code. TDD was originally developed to ensure the quality, maintainability and expandability of the software created over the long term. The specific knowledge about the individual source text passages should also be shown in the tests. Thus, a transfer of responsibility between developers is supported. Better than any documentation, tests are always up-to-date regarding the function that has been implemented in the source code.

Introduction to the Linux Foundation's SLSA project

sven.ruppert@gmail.com (Sven Ruppert) — Sat, 10 Dec 2022 21:56:43 +0000

Supply Chain Security is a hot topic these days. And more and more, we as developers are dealing with this daily. But what does this mean for us, and how is this influencing our job? I want to give an overview of common attacks against the Software Supply Chain from the developer’s view and will introduce the Open Source project SLSA from the Linux Foundation.

The Power of #JFrog Build Info (Build Metadata)

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 08 Oct 2021 13:42:05 +0000

Intro

This article will take a detailed look at what the term build-info is all about and why it will help us protect against attacks such as the Solarwinds Hack.

SolarWinds hack and the Executive Order from Mr Biden -- And now?

sven.ruppert@gmail.com (Sven Ruppert) — Tue, 27 Jul 2021 11:10:15 +0000

In the past two years, we have had to learn a lot about cybersecurity. The new attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general. But what does that mean for us? What can be done about it, and what reactions have the state already taken?

What is the difference between SAST, DAST, IAST and RASP?

sven.ruppert@gmail.com (Sven Ruppert) — Mon, 19 Jul 2021 15:34:30 +0000

Intro:

In this post, we’re going to look at the differences between the various cybersecurity defence techniques. Here you can identify four main groups, which we will go through briefly one after another to illustrate the advantages and disadvantages.

The Lifeline of a Vulnerability

sven.ruppert@gmail.com (Sven Ruppert) — Fri, 25 Jun 2021 16:17:29 +0000

Intro
#

Again and again, we read something in the IT news about security gaps that have been found. The more severe the classification of this loophole, the more attention this information will get in the general press. Most of the time, you don’t even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example. But what is the typical lifeline of such a security gap?