Half of security pros believe Java apps are vulnerable to attacks
While Java struggles frantically to restore its image, experts still doubt the languages security
Close to half of all IT professionals think that Java
applications are insecure, according to a recent survey by
Dublin-based JVM specialist Waratek. 49% of CSOs, CIOs and CISOs believe
that insecure coding (60%) and flaws in third-party libraries (25%)
are to blame.
87% of 130 senior IT security professionals that took
part responded that their security teams did not know enough about
data centre applications to be able to protect them from hacks.
Is Java as bad as its reputation?
Although last year
Oracle promised to “fix Java”, its image remains tarnished by a
history of security flaws. Earlier this month, Java issue a series
of patches to Java 8 as part of its Critical Patch Update.
Although Oracle is working hard to keep Java 8 secure,
legacy systems reliant on older versions of Java remain vulnerable.
Developers are advised to
use the latest possible version of Java in order to guarantee
maximum ROI for the security of IT systems. According to
Microsoft’s recent Security
Intelligence Report, Java plugins are most at risk of attack
from exploit toolkits.
Meanwhile the sophistication of hacks on Java is
steadily growing. Cyber criminals have even succeeded in
cracking Java 7’s native layer.
CEO of Waratek, Brian
Maccaba, said the problem was partially to do with the dominant
use of custom-developed Java-based applications. “Since many of
these enterprise applications are running on older versions of the
platform and use third party code, it’s not surprising that so many
security professionals are concerned about vulnerabilities in these
A history of insecurity
Much of Java security’s image problem can be attributed to its
troubles in the comparatively small area of browser clients.
Java’s poor record for browser implementation came to
a head last year when
Mozilla decided, rather controversially, to boycott Java in
Firefox. The block, which has
since been lifted, was intended to protect the browser from
security issues that have plagued Java.
Last year, security vulnerabilities even stood in the
way of the development of the language itself, causing the release
Java 8 to be pushed back, in part, due the platform’s
applet-based security issues.
Although breaches of Java’s security fell from 15% to
10% last year, almost 75% of all attacks were by exploit kits
targeting JRE vulnerabilities.
Feature image: Dave Bleasdale