Last day to get an iPad Air w/ Smart Keyboard or Pixel 4a Smartphone with 5-6 day course registration! View details.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Why So Serious? Insecure Object Deserialization Demystified

  • Tuesday, December 01, 2020 at 7:30 PM PST (2020-12-02 03:30:00 UTC)
  • Please Check Back

You can now attend the webcast using your mobile device!



Deserialization vulnerabilities have gained significant traction over the past few years, resulting in this category of weakness taking eighth place on the OWASP Top 10. Despite the severity, deserialization vulnerabilities tend to be among the less popular application exploits discussed and are frequently misunderstood by security consultants and penetration testers without a development background. This knowledge discrepancy leaves adversaries with an advantage and security professionals with a disadvantage. This presentation is designed to demystify insecure deserialization vulnerabilities including exploitation and defensive strategies on different platforms such as Java, .NET, PHP, and Android.  


Karim Lalji

Karim Lalji works for TELUS Business, a large national telecommunications and business consulting firm, as a Managing Security Consultant based out of Vancouver, BC. Karim is a graduate of the MSISE at SANS Technology Institute and a proud holder of the GIAC Security Expert (GSE) certification.  

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.