I was sitting in a meeting discussing application vulnerability concerns raised by a customer and had a thought… it hurt a little but I got over it.
There are security issues in every app, regardless of language. Java apps, however, seem to get more attention lately, primarily due to the number of security issues in the JREs/JVMs we use, and that those apps come under higher scrutiny from customers because of JVM issues.
Java applications seem to have gone through a phase in which we decided that shipping the app with a JVM reduced test and support matrices for vendors, while in the old days nobody cared much about it. The Java environment had a reputation for being secure by design to some extent at first and we coasted on that for quite a while.
Then, we started getting more and more security updates to our JVMs and we had to start working out how to keep products up-to-date with our own fixes in addition to the JVM updates. Consequently, vendors suddenly became responsible for re-distribution of the JVM fixes.
All of this is relevant to my point because as I sat in this meeting and walked through a list of issues, more than half of the issues found by the tool were defects in the JVM that we shipped and were not ever executed by code paths in our application.
We were lost in the false positives trying to filter our applications issues out of all of this noise. I realized then that any given java application’s image is detrimentally affected by the JVM’s security issues. Customers want the app but don’t want the JVM because it has a bad reputation, regardless of whether the security issues are being exposed by the application or not.
In turn, we as vendors of Java applications are suffering from the platform’s reputation in a way that a C program running on Linux is not tainted by security issues of the Linux distribution.
I think that the future will see more companies avoiding deploying the JVM with their app and making the customer responsible for it. Will that help? I don’t know.
It will help to begin to distance the applications from the OS they run on and that may improve the view of Java apps as acceptable, but we will continue to pay the price of being seen as too close to the JVM/OS we run our Java apps on for some time yet.
- Verizon DBIR 2014: Web Application Attacks
- Free Computer Tools for Application Forensics
- Surprised? Majority of Systems Infected via Adobe and Java Exploits
- Student Develops Java Application to Undo Simplocker Ransomware Damage
Back by popular demand…
Hey, InfoSec Pros! We’re giving away dozens of these awesome ‘Breaching Bad’ T-shirts to some lucky Twitter followers. Make sure to follow us @TripwireInc and RT to be entered for a chance to win! Contest ends Dec. 18, 2014. Click here for Terms & Conditions.