Skip to main content

Paul Ambrosini

Paul is the Director of engineering at SourceClear, leading the platform team to build the best software composition analysis solution.

Posts by Paul Ambrosini
  • Docker and JAVA_OPTS
    December 22, 2015
    Docker and JAVA_OPTS

    While adjusting some environment variables recently, I came across an odd issue with Docker, Spring Boot and JAVA_OPTS. JAVA_OPTS comes from the Tomcat/Catalina world and when searching for "Docker and javaopts" on Google you'll find many references to just adding JAVA_OPTS to the Docker environment. After some testing, I found this to be incorrect when running a Spring Boot jar in a Docker… READ MORE

Stay up to date on Application Security

  • Spring Social Core Vulnerability Disclosure

    Today we would like to announce the discovery of a vulnerability in the Spring Social Core library. Spring Social provides Java bindings to popular service provider APIs like GitHub, Facebook, Twitter, etc., and is widely used by developers. All current versions (1.0.0.RELEASE to 1.1.2.RELEASE) of the library are affected by this vulnerability. To exploit this vulnerability, an attacker can… READ MORE

  • Spring, RabbitMQ & Dead Letter Exchanges

    RabbitMQ has become a staple for building job queues between the myriad of spring boot micro-serivces I've built at SRC:CLR. The Spring abstraction has allowed for quick and mostly painless development. What I hadn't found a need for was RabbitMQ's "Dead Letter Exchange" setup. Multiple times there had been discussions about using the dead letter pattern but I'd never gone that route. During one… READ MORE

  • Prohibiting RC4 Cipher Suites in AWS

    In December of 2014 researchers found that the RC4 cipher being used in common TLS implementations could be easily broken. As of January 15 2015 the recommended predefined security policy for AWS Elastic Load Balancers still permits the use of RC4 ciphers and will need to be custom configured to deal with the RC4 vulnerability. These steps are described here. Background In October of 2014 a… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.