I am relatively still new to Java, and am currently at the level of the certified associate and preparing for the next one. It is an enjoyable experience, and I wanted input on something related to security.
At the above link, it says Java SE is not very secure. Since I am still a beginner in the field, could anyone aware of this please provide any input on the above? And also, what are some good resources to get familiar with secure programming/issues with security for Java? I know I am a long way away from that level of depth, but I just like buying books and resources regardless.
Thanks for sharing that link. It's sad to read this, because Java was designed with security in-built from the beginning. Unfortunately, there have been times when that promise has not been borne out.
This "insecure software" to which they refer is specifically about JDKs/JREs that are installed on end-user boxes. Desktops, primarily, can have outdated JVMs on them. People can download programs, not knowing or caring if they are Java. As they do, a JRE installation is required, so they click through that. Then, some time later, new Java code which exploits flaws in these obsolete JVMs is downloaded, too. Newer JVMs will have had security changes put into place. For instance, there was a security revamp starting with one specific revision of Java 6 (I think this is the relevant link http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html ). If a consumer box had JRE 1.6.0_01, it would NOT have these 17 critical patches discussed in the link. JREs/JDKs have to be updated just like a web browser. But Oracle had (according to the article) not made this apparent to users. BTW, this article is not about JVMs running on servers to build web sites and middleware. Those must be shielded, but that's a different set of issues.
A sometimes confusing thing about these Java distributions, is that no JRE is going to endanger your box--unless some code runs on it. The danger here, is an attacker could use this vulnerability, by putting out malware classes, which are downloaded as Applets, perhaps, and succeed to do bad things on the outdated JRE. I think Oracle also got into some hot water about how the JRE handles it when potentially dangerous code gets run on them. To address that, after a certain revision the rules changed on whether or what kind of popup message appeared for downloaded code.
John Freeman wrote:At the above link, it says Java SE is not very secure. Since I am still a beginner in the field, could anyone aware of this please provide any input on the above?
Well, as an old security admin myself, one of the first lessons you learn is that nothing is absolutely secure. The Internet is a big, bad place; and the best you can hope for is to slow someone down; but if someone has enough time and money (and will), they will get your secrets. So if you want to keep something secure:
Don't put it on the Internet.
And since Java's biggest security weakness is the JVM: Don't run a JVM on any machine that has a direct connection to the Internet.
Unfortunately, while Unix and Linux admins have known this simple rule for decades, and the latter even has configs for setting up things like firewalls (although I'm such a dinosaur, I still prefer to pick installed packages myself); it seems to be conspicuously lacking on Windows servers, which will happily install a JVM for you by default, along with all sorts of other "crackable" things like IIS.
I hate to say, but I have little sympathy for companies - as opposed to people - that have run into security problems with Java, because clearly they (or their admins) forgot the first rule of security:
Trust no-one ... especially software vendors.
"Leadership is nature's way of removing morons from the productive flow" - Dogbert
Articles by Winston can be found here
I suggest huckleberry pie. But the only thing on the gluten free menu is this tiny ad: