Waters Works by John K. Waters
Things have quieted down quite a bit on the Java security front during the last year or so. Rare these days are the heart-stopping revelations of zero-day vulnerabilities; and fewer are the grumbling editorials about the lack of end-user update hygiene. (Although, as far as I’m concerned, that issue is still quite grumble-worthy.) Oracle’s click-to-play feature was at least partly responsible for a 2014 in which there were no major zero-day Java vulnerabilities discovered and exploited in the wild.
Which is great, but not the end of the Java security story. As long as Java’s enormous popularity in the enterprise continues, it’s going to be an alluring target, Java security expert John Matthew Holt reminded me recently.
Holt is the CTO of Waratek, a company specializing in Java security, so you could argue that he has vested interest in Java insecurity. But he’s right to point out that the Java stack has more than one layer. Even if you manage to keep up with Oracle’s patch schedule for the Java platform layer, you still have to deal with the app server layer, the libraries and the business logic. And update schedules vary. For example: Oracle releases Java security fixes on the Tuesday closest to the 17th day of January, April, July and October; Apache releases Struts patches every 72 days.
“I give great credit to Oracle for addressing the vulnerabilities in the Java Platform layer,” Holt said. “That’s kind of a never-ending battle. Even if an organization manages to keep up with the Java security fixes, the vulnerabilities shift to somewhere else in the software stack.”
For example: By my count, there have been 10 Struts vulnerabilities reported over the past two years with a CVSS rating of 9 or 10, which is very high and marks them as critical.
Holt is an enthusiastic proponent of Runtime Application Self Protection, or RASP, which Gartner has defined as “a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks.” Holt’s company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).