2025-12-13 –, Rookie Track 2
Despite its reputation as a memory-safe language, Java has a dangerous side. In this talk, we will show that a single coding slip or the wrong third-party dependency can compromise your application's memory safety.
You’ll learn:
- What is memory safety and why it matters (even in Java)?
- How attackers can exploit hidden dangers like the Unsafe class.
- Safer alternatives like the Foreign Function and Memory API.
Perfect for developers, architects, and security professionals, this talk bridges the gap between theory and practice, and aligns with today’s growing industry focus on memory safety and software supply chain security.
This talk explains what memory safety is and why memory-safe languages are a significant step forward in application security. Then, we will focus specifically on the Java programming language. Despite being memory-safe, it allows developers to access low-level functions that can break these guarantees with the slightest mistake. We will demonstrate the consequences of such a mistake.
We will cover various ways to mitigate these risks, including brand new APIs recently added to the Java SDK. We will show how you can detect these risks in both open source and proprietary Java applications as well as third-party libraries. Finally, we will share the results of a study of various Java static analysis tools (both commercial and free) to detail which tools can help you detect these risks, either out-of-the-box, via configuration, or customization.
Thomas has more than 20 years of Java development experience with a focus on information security. He is a member of the OpenSSF (part of the Linux Foundation) Memory Safety Special Interest Group whose mission is to understand and reduce memory safety vulnerabilities in Open Source Software. He is also a lifetime member of OWASP and an avid contributor to Open Source projects.