John K Waters writes:
I reported last week on Oracle’s latest Critical Patch Update, which included 169 new security vulnerability fixes across the company’s product lines, including 19 for Java. The folks at Java security provider Waratek pointed out to me that 16 of those Java fixes addressed new sandbox bypass vulnerabilities that affect both legacy and current versions of the platform. That heads-up prompted a conversation with Waratek CTO and founder John Matthew Holt and Waratek’s security strategist Jonathan Gohstand about their container-based approach to one of the most persistent data center security vulnerabilities: outdated Java code.
Holt reminded me that the amount of Java legacy code in the enterprise is about to experience a kind of growth spurt, as Oracle stops posting updates of Java SE 7 to its public download sites in April.
“When you walk into virtually any large enterprise and you ask them which version of Java they’re running, the answer almost always is, every version but the current one,” Holt said. “That situation is not getting better.”
Outdated Java code with well documented security vulnerabilities persists in most data centers, Gohstand said, which is where it’s often the target during attacks. The reasons that legacy Java persists, in spite of its security risks (and the widespread knowledge that it’s there), is up for debate. But Waratek’s unconventional approach to solving that problem (and what Holt calls “the continued and persistent insecurity of Java applications at any level of the Java software stack”) is a specialized version of a very hot trend.
Containers are not new, of course, but they’re part of a trend that appears to have legs (thanks largely, let’s face it, to Docker). Containers are lightweight, in that they carry no operating system; apps within a container start up immediately, almost as fast as apps running on an OS; they are fully isolated; they consume fewer physical resources; and there’s little of the performance overhead associated with virtualization — no “virtualization tax.”
Waratek’s containerization technology, called Java Virtual Containers, is a lightweight, quarantined environment that runs inside the JVM. It was developed in response to a legacy from the primordial Java environment of the 1990s, Holt said.
This article first appeared in ADT Mag