Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: "Get Java Fixed Up" - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Get Java Fixed Up"

This was a quote from a recent conference call hosted by Oracle (details on the call are here http://www.scmagazine.com/oracle-speaks-promises-to-get-java-fixed-up/article/277898/ )  In that call, Oracle's full quoted statement is “The plan for Java security is really simple, it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”  

This sounds very positive, right?  With Java 6 rolling into "unsupported" status soon, and real problems (and no emphatic fix in sight) in Java 7, this sounds like good news for folks who need Java day-to-day, in support real business functions.

Ummm - not so much for me.  <personal opinion follows> They make it sound like this might be something they can do in a couple of weeks, and fix with a service pack or a version update.  When Microsoft was in a similar situation, they shut down development completely and re-tooled their methodology.  I think Oracle is in a similar situation right now, but aren't coming clean like Microsoft did back in the day (2002 - it doesn't seem that long ago to me ...)

While the current round of vulnerabilties in Java can certainly be resolved in the current framework, I think that if they don't retool their Development, Test and QA methodologies to place a higher emphasis on Security in the final product, we'll be having this same discussion again and again.

Putting a change freeze in for new features would be another excellent thing to do.  Given recent events, freezing dev for an audit and security effort is likely a really good idea.  I get the impression that in the race for new features, there's a significant "technical debt" on the security side that is coming home to roost. 

I think that Oracle, and a few others while we're discussing it, need to take a close look at what Microsoft did those few short years ago, and make some big changes on how things get written and rolled out.

Again, just my opinion.  Feel free to set me straight (or even agree with me) in our comment form.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

497 Posts
ISC Handler
I think saying "fixed up" relays the organization's security posture. They seem to be bragging about putting makeup on that pig. ;)
PhilBAR

24 Posts
Java certainly does need to get things in order when it comes to two things, security and legacy version control. Why do we keep having to have all these old versions for compatibility? The vast majority of the time our old desktop software runs on our newer OS'es with little or no issues, very few require major work. This to me, as a previous software developer, shines a very dim light on the programming techniques (and priorities) of these organizations. Generally speaking if you write the software using the approved API interfaces and don't cut corners your software will continue to run through many upgrades and you can instead focus on bringing new features and less on bug fixing. Aren't the features what brings in the customers and therefore the revenue? Even maintenance fees are still part of the software purchase as the decision to keep paying them is theoretically contingent on the software bringing in value. If they aren't then they are really trying to bilk the customer in my opinion.

Adobe is on my hit parade these days also, on my Macintosh I can get away with using Quicktime's partial implementation of flash most of the time and avoid the almost daily Adobe patches. Most other users are not so lucky.

The crazy thing about all of this is that if these companies focused on doing things right then probably 70% of our software security problems would disappear overnight. Think of how much money is tied into all the extra application security layers we buy because all our software is so buggy. Think of how much money is stolen because of these same problems. While not 100% it is the closest by far to a silver bullet for security, buy software designed to be solid and secure from the start. Spend a little more now and save a ton later.
BGC

23 Posts
I couldn't agree more. When Java 7 was released it contained a lot of new 'features' and 'added functionality' that from what I can tell very few people are even aware of. Oracle developers should be asking two questions
1- Just because we can do it, should we
2- How can we make it secure
It seems to me that they are not asking themselves either one because all the new code, which is a mess IMHO, is where all the vulnerabilities and recent 0-day issues lie.
I think Oracle is where Microsoft was in 2002 but lacks the commitment and possibly the expertise needed to properly do what is needed to correct this whole mess. Time will tell, but right now that time is in rather short supply and running out very quickly.
toymaster

13 Posts
Put a freeze on new development in 7 till the security is fixed, rescind the end of life on 6 and keep patching it till 7 actually functions. 7 is an experimental beta and therefore buggy, 6 less so.
toymaster
57 Posts
You'd think that, given all the chatter regarding Java, Oracle would've found reason to make a little more noise about this:
http://www.oracle.com/technetwork/java/javase/7u13-relnotes-1902884.html
Anonymous

Sign Up for Free or Log In to start participating in the conversation!