Java doesn't have to be unsafe: What developers can do

Even Microsoft can help developers build more secure Java apps

Here we go again. Yet another Java security problem arises. This time, it's a zero-day vulnerability affecting the browser plug-in.

Java suffered a host of security setbacks last year, so Apple has stopped installing it by default in OS X, and security researchers advise PC users (regardless of operating system) to stop using it.

Security issues are a real thorn in Java's side. So is there more Oracle can be doing to promote security in Java and help out developers?

In fact, Oracle has already provided plenty of documentation. Oracle's Java SE (Standard Edition) Security website provides APIs; tools and implementations of security algorithms; mechanisms; and protocols for cryptography, PKI (public key infrastructure), secure communication, authentication, and access control. It also provides developers a security framework for writing applications and admin tools for secure management.

Oracle's Java EE (Enterprise Edition) 6 security resources include a tutorial featuring instructions on securing Web and enterprise applications. Oracle also has posted a security-fixing policies document, which covers patch updates and security alerts. Patches address "significant" vulnerabilities and include code fixes.

Oddly enough considering the Windows security holes discovered routinely, another place to go for Java developers to learn how to secure their applications is Microsoft's SDL (Security Development Life Cycle) practice. This effort covers training, requirements, design, implementation, release, and response. Free tools are available as well. "The SDL process is not specific to Microsoft or the Windows platform and can be applied to different operating systems, platforms, development methodologies, and projects of any size," a Microsoft representative notes.

There's probably no way for Java developers to prevent all intrusions taking advantage of Java -- determined intruders will find a way in. And some problems will still require Oracle's attention, despite developers' best efforts. But it is not a bad idea for Java developers to avail themselves to all resources available to try to make security less of an issue.

This story, "Java doesn't have to be unsafe: What developers can do," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies