Experts prod Oracle to fix broken Java security
Called Security Development Lifecycle, or SDL, by Microsoft, the process includes regular code reviews as a product is created, and includes development practices designed to reduce the number of vulnerabilities. Windows Vista was the first Microsoft OS to use SDL start to finish.
While Oracle has something similar dubbed "Oracle Secure Coding Standards," and has published secure coding guidelines for third-party Java developers, it's unclear whether the firm has used its own Secure Coding Standards practices on Java, which it inherited from Sun Microsystems in 2010.
If it has, the experts said, it's not working.
"If Oracle wants Java to be successful within the browser, they will need to make serious investments into the security model," said Moore, who added that the Oracle Secure Coding Standards "hasn't been enough."
"What Oracle needs now is something similar to the Microsoft Trustworthy Computing initiative," said Storms of the Redmond, Wash. developer's overarching security-minded project, launched in 2002 after then-CEO Bill Gates' famous memo. "[Oracle] needs an executive with a strong vision and the ability to force the organization to build 'management by objectives' around security."
Gowdiak beat the same Java drum as Storms. "From what we have learned so far investigating Java SE 7 code, the overall impression is that certain new code features/new additions have not been the subject of any security review," he said.
Changing Java's security model won't be easy, Moore acknowledged, what with the need for backward compatibility; Java's ambition to be all things to all users and on all platforms, from enterprise and consumers to desktop, mobile and the Web; and its reliance on an interpreter-level sandbox.
Even its flexibility has contributed to its security woes. "Java has ridiculous amount of functionality," said Moore, who blamed its overreach for many of its problems.
His recommendation: Steal a page from Adobe, Google and Microsoft, which have instituted process-level sandboxes, and reduce the number of APIs that untrusted Java applets can access.
Demands that Oracle get a handle on Java security are not new. In mid-2012, before the two Java zero-days that forced Oracle to issue emergency updates, security professionals pointed to a host of problems, from infrequent updates to lax coding, that had pushed Java to the top of the exploit charts.
But even if Oracle heeds these calls, it's in for a long slog, experts warned.
"At the end of the day, Oracle's primary customer is the enterprise," said Moore. "In contrast with companies like Adobe, they are not well-positioned to handle security problems in their consumer products."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts