Experts in this month’s debate discuss Java. Is it time to stop using the popular software?
Rohit Sethi, vice president, Security Compass
With the many high-profile breaches of the Java Runtime Environment, it’s natural to want to throw in the towel. But this reaction is overblown. First, Java is the second most popular programming language in the world. Is it realistic to replace it? Java’s ubiquity is its strength – with its enormous ecosystem and open-source/commercial libraries, it would be hard to replace.
Second, we tend to overlook the importance of Java Enterprise Edition. It runs the very infrastructure we rely on in the financial, health care and utilities industries, and these server-side applications are rarely exploited by JRE client-side attacks.
Lastly, Oracle is on the right path. It’s delayed Java 8 to focus on security. This won’t happen overnight, but it’s clearly a priority. It isn’t easy to ditch a programming language that’s essentially built much of the web infrastructure we rely on today. Remember COBOL? Some experts estimate it’s still used in 60 to 80 percent of worldwide financial transactions.
David Kennedy, CEO, TrustedSec
The attacks surfacing today are predominantly through external perimeter attacks, or through targeted client-side exploitation. Online miscreants have a good sense of what types of applications are installed on an individual computer based on popularity. Java has notoriously been the front for attack over the past several years and continues to grow in popularity. Riddled with massive security flaws, the February patch contained 50 critical security fixes. Each incursion has created exposures for the security community and had a massive impact to how we defend our companies. The installer makes it difficult to push quick updates out, and new patches introduce instability in Oracle product lines. Even without zero-days, the trust model with Java Applets introduces a completely reliable attack method. Java is something that we have to sandbox completely on our network – or completely remove it altogether. If we don’t take drastic action in the short term, we will continue to see large-scale breaches and our user population at continual risk.