java and oracle on security at app sec usa

speaker: Milton Smith

Open Ecosystem

  • JP (java community process
  • OpenJDK contirbutors including IBM and Apple

Security communications

  • RSS feed for security alert
  • (CPU) Critical Patch Update Advisories – for “normal” patches. Dates published a year in advance
  • eBlasts – emails
  • Blogs – Java PM blog

CVSS – common vulnerability scoring system

Added security track to JavaOne

Working on a platform is not the same as working an application. Current analysis tools don’t understand new syntax yet. Use tools where apply though.

Oracle considers Java to be strategic. Safety and security of Java is a top priority. Delayed Java 8 becuase security wasn’t ready.

Oracle is focusing on fixing applets (to limit attackers from using malicious applets), accelerating remediation and new security features.

Most vulnerabilities were in deployment and 2D because of applets. Interesting because don’t affect most people. And because applts are old.

Recent security features

  • Easy way to disable Java on different platforms (Java 7 update 1)
  • Java “best before” – Java should encourage updates. Baked date into binaries for knowing it is out of date once new CPU out (Java 7 update 10)
  • End user can adjust plugin security levels via slide (Java 7 update 10). Removed low and custom levels in update 21
  • Dynamic blacklisting support. Vendors call to say they learned released jars are vunlerable (java 7 update 21)
  • Signing sandboxed applications (java 7 update 21)
  • Enble stanadrdized revocation services – deal with stolen digital certs, now on by default (java 7 update 25)
  • Provide ability to lock JARs to specific servers or domains (java 7 update 25)
  • Turn off JRE out of date warnings – companies want to manage on own (java 7 update 40)
  • Add whitelisting for enterprise and partners – prevents 3rd party ads and spearfishing from exploiting (java 7 update 40)
  • Working on Java uninstaller to improve so adversaries can’t target older versions of Java as easily


  • With the January Java 7 update 51 release, self/un-signed applets will be blocked by default. All applets written before update 25 won’t run by default. Can lower seurity to Medium to change defaults. Can still create a CA within a company

Oracle’s Secure Coding Guidelines

My take
I’m not sure what I was expecting, but this felt light and fuzzy. Or maybe I knew a lot of this. Or maybe I’m tired because there wasn’t a break and I didn’t choose to miss a session in order to take one. The charts were interesting. As were the new features.

Leave a Reply

Your email address will not be published.