Threat Management, Vulnerability Management

Debate: Because of inherent vulnerabilities, it is time to ditch Java


Experts in this month's debate discuss Java. Is it time to stop using the popular software?


Rohit Sethi, vice president, Security Compass

With the many high-profile breaches of the Java Runtime Environment, it's natural to want to throw in the towel. But this reaction is overblown. First, Java is the second most popular programming language in the world. Is it realistic to replace it? Java's ubiquity is its strength – with its enormous ecosystem and open-source/commercial libraries, it would be hard to replace. 

Second, we tend to overlook the importance of Java Enterprise Edition. It runs the very infrastructure we rely on in the financial, health care and utilities industries, and these server-side applications are rarely exploited by JRE client-side attacks. 

Lastly, Oracle is on the right path. It's delayed Java 8 to focus on security. This won't happen overnight, but it's clearly a priority. It isn't easy to ditch a programming language that's essentially built much of the web infrastructure we rely on today. Remember COBOL? Some experts estimate it's still used in 60 to 80 percent of worldwide financial transactions.


David Kennedy, CEO, TrustedSec

The attacks surfacing today are predominantly through external perimeter attacks, or through targeted client-side exploitation. Online miscreants have a good sense of what types of applications are installed on an individual computer based on popularity. Java has notoriously been the front for attack over the past several years and continues to grow in popularity. Riddled with massive security flaws, the February patch contained 50 critical security fixes. Each incursion has created exposures for the security community and had a massive impact to how we defend our companies. The installer makes it difficult to push quick updates out, and new patches introduce instability in Oracle product lines. Even without zero-days, the trust model with Java Applets introduces a completely reliable attack method. Java is something that we have to sandbox completely on our network – or completely remove it altogether. If we don't take drastic action in the short term, we will continue to see large-scale breaches and our user population at continual risk.
David Kennedy

David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.