Every company whose security I've audited has a Java problem -- an ongoing one that long predates the current threat.
Java provides a convenient attack vector for most of the malware arriving in companies -- not just the annoying stuff, but advanced persistent threats, money stealers, and more. Despite the intricate nature of the recently discovered flaw, simply keeping Java patches up to date (including the latest Oracle patch) would vastly decrease the risk.
[ Also on InfoWorld: Java security comes down to 'war of attrition.' | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
So why, in literally every company I've audited, does Java remain so badly patched?
Mainly, it's the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can't patch Java in a more timely manner because doing so breaks too many vital applications.
In other words, this dependency is not just an excuse -- it's not the same as, say, neglecting to keep your Windows Server patches up to date. Patching Java presents an operational risk because it has a better chance than nearly any other patching operation of breaking applications. For every patch, you may well need to commit serious resources to testing.
No wonder, then, that the IT people involved complain about how they are powerless to do anything -- how their very jobs would be at risk if they caused the predicted operational interruption. I understand their frustration, but not their powerlessness.
I wonder what would happen if IT told the CIO, the CEO, the board of directors, that "Hey, we recognize our No. 1 problem, and it's been the No. 1 problem for years, but we're throwing our hands up and not doing anything about it." I wonder how senior management would respond?
