Java is one of the most useful programming languages within government but it’s also one of the most vulnerable. By John Breeden, Nextgov.
Many of the highest profile, successful attacks had a Java vulnerability as their launching point—not just in government but across organizations of all sizes. By comparison, Flash had similar problems but had such a light footprint in government that the solution was simply to purge it from federal computers. You can’t do that with Java, as it’s far too entrenched at agencies and makes up the lifeblood of many critical systems and applications.
So how do you solve a problem like Java? First off, you need to understand how Java is configured. Java applications are divided up into two components. You have the baseline Java 8 or 9 stack that hosts the application and provides the garbage collector process. It’s extremely simple, can’t really be successfully attacked, and considered completely secure by most experts. But you can’t do very much with just the baseline.
Running programs in Java require the upper application layer. That is where you end up pulling in millions of lines of code—and it’s where the exploits happen. It’s also not so well-known that the upper layer is often based on older versions of Java. For example, a baseline running Java 9 could be supporting an upper layer as old as Java 4. In other words, the vulnerabilities hackers discovered in Java four years ago could potentially be used to exploit a program running in a federal data center that on the surface looks to be supported by Java 8 or 9 but maintains a vulnerable upper stack. And no, you simply can’t upgrade most applications to allow them to run under Java 9. Most likely, too many of the millions of lines of code will not be compatible. It would need to be rewritten from scratch.
Such is the curse of using Java: deficits outweighed by the fact that it can be employed to work with nearly any type of device to perform nearly any application. But the security risks are still there, and I have not seen too many ways to completely lock it down, until now.
One of my many projects over this long, hot summer, is conducting a series of 15 in-depth cybersecurity reviews for Network World and CSO magazine, examining products that fit into categories that Gartner has identified as being the most important in cybersecurity for the foreseeable future. Not surprisingly, locking down Java and other application exploits made the list.