I’ve been a Java developer long enough to remember the excitement when Sun introduced the concept of serialization in the JVM. In the world of C, we could just write a struct into a file, but this was always problematic. It wasn’t portable and had many issues. But for Java, we could just write the class, and it “worked.” This was pure magic!
Java was still mostly in use on the client side, and when we thought about security, we had different vulnerabilities in mind. The sandbox occupied most of our security discussions. Fast forward a couple of decades, and today when most developers discuss serialization, the discussion isn’t so positive. Serialization, as Brian Vermeer puts it, is: “the gift that keeps giving.”
This article has been indexed from DZone Security Zone
Read the original article: