Security & PrivacyConference45min
Steel for Vulnerabilities, Silver for Zombies: Hunting Java's Unseen Monsters
The session examines the hidden economics and sustainability of Java’s open-source supply chain, highlighting infrastructure costs, EU compliance pressures, and maintainer challenges. It reveals risks from unnoticed end-of-life dependencies and offers practical methods to detect them and decide when third-party EOL support is preferable to rushed migrations.
talk.summaryAiDisclaimer
Steve PooleHerodevs
talkDetail.whenAndWhere
Friday, April 24, 14:35-15:20
Paris 242AB
"Evil is evil. Lesser, greater, middling… It’s all the same. But some monsters are harder to track than others."
Your Dependabot alerts are cleared. Your Snyk dashboard is green. You think the contract is closed, but a "Zombie" is lurking in your transitive dependencies. In the age of the EU Cyber Resilience Act, a library that is "vulnerability-free" but End-of-Life (EOL) is a monster waiting to strike during your next compliance audit.
Standard SCA tools are your steel sword (great for known threats), but you need silver for the abandoned, the unmaintained, and the silently dead.
In this session, we’ll brew a "Security Decoction" using:
Join us to learn how to build a Java stack that isn't just secure for today’s build, but sustainable for the long trek ahead.
Your Dependabot alerts are cleared. Your Snyk dashboard is green. You think the contract is closed, but a "Zombie" is lurking in your transitive dependencies. In the age of the EU Cyber Resilience Act, a library that is "vulnerability-free" but End-of-Life (EOL) is a monster waiting to strike during your next compliance audit.
Standard SCA tools are your steel sword (great for known threats), but you need silver for the abandoned, the unmaintained, and the silently dead.
In this session, we’ll brew a "Security Decoction" using:
- Snyk & Dependabot: For frontline defence against known CVEs.
- OpenSSF Scorecards & deps.dev: To track the "vital signs" of your maintainers.
- HeroDevs EOL To identify exactly when a dependency has crossed into the afterlife.
Join us to learn how to build a Java stack that isn't just secure for today’s build, but sustainable for the long trek ahead.
Steve Poole
Developer Advocate, Developer Security Champion, DevOps Lead. A thoroughly seasoned engineer, leader and strategist from operating systems to JVMs to Chat GPT. Open source committer and contributor, Apache, Eclipse, OpenJDK, OpenSSF, OWASP member, Mad Scientist and usergroup leader: A seasoned speaker and regular presenter at international conferences on technical and software engineering topics. Greybeards rule!
