Peter Stephenson, SC Magazine writes:
Here’s the problem: Java is not secure. Here is the solution: sandbox Java apps. Well, it really is not quite that simple, but our First Look this month generated one of those “ah ha!” moments in us when we saw what it was and how it worked.
One of the major issues we face as security professionals is that application developers are usually tasked with application security and, as we all know, that often does not work as well as we’d like. Application security is difficult, and because new vulnerabilities appear regularly it is very difficult to write truly secure code.
That said, we can, of course, write code that covers the big rocks. We can avoid buffer overflows and other common problems with some fairly straightforward coding practices. But there are subtleties – especially in Java – that get by even the most judicious coder. So one approach to protecting Java apps is to better protect the app, not just the code.
Before we hear anyone saying that we are encouraging sloppy coding, let us assure you that such really is not the case. However, the reality is that while attacks evolve once an app has been coded, it stays that way for some period of time. So even the best coding practice can become obsolete instantly with the emergence of new exploits. Before we get into the nuts and bolts of our product for this month, let’s take a quick look at an alternative.
This is a very nice implementation of RASP (Runtime Application Self Protection), easy to deploy in the development environment, and far more effective than web application firewalls.