• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Ron McLeod
  • Frank Carver
  • Junilu Lacar
Saloon Keepers:
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • fred rosenberger

Security and Java

 
Greenhorn
Posts: 21
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all,

I am relatively still new to Java, and am currently at the level of the certified associate and preparing for the next one. It is an enjoyable experience, and I wanted input on something related to security.

https://www.washingtonpost.com/news/the-switch/wp/2015/12/21/nearly-a-billion-pcs-run-this-notoriously-insecure-software-now-oracle-has-to-clean-it-up/

At the above link, it says Java SE is not very secure. Since I am still a beginner in the field, could anyone aware of this please provide any input on the above? And also, what are some good resources to get familiar with secure programming/issues with security for Java? I know I am a long way away from that level of depth, but I just like buying books and resources regardless.

Thanks!
 
Ranch Hand
Posts: 270
15
Android Angular Framework Spring AngularJS Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for sharing that link. It's sad to read this, because Java was designed with security in-built from the beginning. Unfortunately, there have been times when that promise has not been borne out.

This "insecure software" to which they refer is specifically about JDKs/JREs that are installed on end-user boxes. Desktops, primarily, can have outdated JVMs on them. People can download programs, not knowing or caring if they are Java. As they do, a JRE installation is required, so they click through that. Then, some time later, new Java code which exploits flaws in these obsolete JVMs is downloaded, too. Newer JVMs will have had security changes put into place. For instance, there was a security revamp starting with one specific revision of Java 6 (I think this is the relevant link http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html ). If a consumer box had JRE 1.6.0_01, it would NOT have these 17 critical patches discussed in the link. JREs/JDKs have to be updated just like a web browser. But Oracle had (according to the article) not made this apparent to users. BTW, this article is not about JVMs running on servers to build web sites and middleware. Those must be shielded, but that's a different set of issues.

A sometimes confusing thing about these Java distributions, is that no JRE is going to endanger your box--unless some code runs on it. The danger here, is an attacker could use this vulnerability, by putting out malware classes, which are downloaded as Applets, perhaps, and succeed to do bad things on the outdated JRE. I think Oracle also got into some hot water about how the JRE handles it when potentially dangerous code gets run on them. To address that, after a certain revision the rules changed on whether or what kind of popup message appeared for downloaded code.

That said, here's a third party source that might help you learn more about this situation. https://www.owasp.org/index.php/Java OWASP is a good general security site. Disclaimer: I need to go there myself more often. You also might want to look at http://docs.oracle.com/javase/tutorial/deployment/applet/security.html. But, just be aware that Applets are not the only things running on JVMs. Code can be run on your JVM as an Applet, as a Web Start download, or as part of some download-install (just like an executable).
Enjoy
 
Bartender
Posts: 10780
71
Hibernate Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

John Freeman wrote:At the above link, it says Java SE is not very secure. Since I am still a beginner in the field, could anyone aware of this please provide any input on the above?


Well, as an old security admin myself, one of the first lessons you learn is that nothing is absolutely secure. The Internet is a big, bad place; and the best you can hope for is to slow someone down; but if someone has enough time and money (and will), they will get your secrets. So if you want to keep something secure:
Don't put it on the Internet.
And since Java's biggest security weakness is the JVM: Don't run a JVM on any machine that has a direct connection to the Internet.

Unfortunately, while Unix and Linux admins have known this simple rule for decades, and the latter even has configs for setting up things like firewalls (although I'm such a dinosaur, I still prefer to pick installed packages myself); it seems to be conspicuously lacking on Windows servers, which will happily install a JVM for you by default, along with all sorts of other "crackable" things like IIS.

I hate to say, but I have little sympathy for companies - as opposed to people - that have run into security problems with Java, because clearly they (or their admins) forgot the first rule of security:
Trust no-one ... especially software vendors.

Winston
 
I suggest huckleberry pie. But the only thing on the gluten free menu is this tiny ad:
Garden Master Course kickstarter
https://coderanch.com/t/754577/Garden-Master-kickstarter
reply
    Bookmark Topic Watch Topic
  • New Topic