Half of security pros believe Java apps are vulnerable to attacks
While Java struggles frantically to restore its image, experts still doubt the languages security
Close to half of all IT professionals think that Java applications are insecure, according to a recent survey by Dublin-based JVM specialist Waratek. 49% of CSOs, CIOs and CISOs believe that insecure coding (60%) and flaws in third-party libraries (25%) are to blame.
87% of 130 senior IT security professionals that took part responded that their security teams did not know enough about data centre applications to be able to protect them from hacks.
Is Java as bad as its reputation?
Although last year Oracle promised to “fix Java”, its image remains tarnished by a history of security flaws. Earlier this month, Java issue a series of patches to Java 8 as part of its Critical Patch Update.
Although Oracle is working hard to keep Java 8 secure, legacy systems reliant on older versions of Java remain vulnerable. Developers are advised to use the latest possible version of Java in order to guarantee maximum ROI for the security of IT systems. According to Microsoft’s recent Security Intelligence Report, Java plugins are most at risk of attack from exploit toolkits.
Meanwhile the sophistication of hacks on Java is steadily growing. Cyber criminals have even succeeded in cracking Java 7’s native layer.
CEO of Waratek, Brian Maccaba, said the problem was partially to do with the dominant use of custom-developed Java-based applications. “Since many of these enterprise applications are running on older versions of the platform and use third party code, it’s not surprising that so many security professionals are concerned about vulnerabilities in these programs.”
A history of insecurity
Much of Java security’s image problem can be attributed to its troubles in the comparatively small area of browser clients.
Java’s poor record for browser implementation came to a head last year when Mozilla decided, rather controversially, to boycott Java in Firefox. The block, which has since been lifted, was intended to protect the browser from security issues that have plagued Java.
Last year, security vulnerabilities even stood in the way of the development of the language itself, causing the release of Java 8 to be pushed back, in part, due the platform’s applet-based security issues.
Although breaches of Java’s security fell from 15% to 10% last year, almost 75% of all attacks were by exploit kits targeting JRE vulnerabilities.
Feature image: Dave Bleasdale