A steady stream of Java zero-days has kept the software at the center of security discussions in recent months, and experts suggested that these issues are likely to continue until a thorough code review has been performed. Citing examples of programs that have successfully tightened the security of their code design in the past, a number of industry onlookers expressed the need for a more secure development lifecycle in a recent InfoWorld article.
Java’s security challenges have been myriad, with its publisher Oracle releasing two emergency updates since the new year. Companies including Facebook, Apple and Microsoft have all been hit with attacks from Java exploits planted on websites, particularly a popular iPhone development site. Most recently, a malware program called MiniDuke, designed to infiltrate government networks by exploiting Java vulnerabilities in Internet Explorer, has been identified by several different researchers.
Experts have repeatedly urged users to uninstall Java from their browsers unless it is necessary, and a number have criticized Oracle, which owns the software after purchasing Sun in 2010, for its inattention to its security. A recent study by Sourcefire found that Oracle was the top vendor responsible for critical vulnerabilities over the past 25 years.
“So, many computer users find themselves in what is becoming a disturbingly familiar situation – looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java,” Sophos senior technology consultant Graham Cluley wrote on the company’s Naked Security blog following a recent exploit announcement.
Making Java more secure
According to security experts who spoke with InfoWorld, Oracle should do more to improve the management of Java security controls, to increase adoption rates for patches and, most importantly, to redesign the code in a way that eliminates basic security issues. Carsten Eiram, chief research officer at consulting firm Risk Based Security, suggested that Oracle should implement a secure development lifecycle (SDL) for Java that includes code review and tactics such as source code analysis to catch basic vulnerabilities.
By implementing these practices and contracting some of the researchers who already monitor Java for vulnerabilities, Oracle would be following in the footsteps of vendors such as Microsoft and Adobe, Eiram noted. Both were once notoriously well known for vulnerabilities but have made changes that have reduced the number of issues in recent years.
“Software vendors have a responsibility to provide secure code of a certain quality, and vendors of widely deployed software like Flash Player or Java simply have no excuse,” Eiram told InfoWorld. “Adobe realized this and have made a serious and successful effort to improve their code. Microsoft did the same many years ago. It’s time for Oracle to follow in those footsteps.”
Eiram added that he did not see any imminent end to Java’s problems, noting that it is difficult to quickly reverse procedures. Wolfgang Kandek, CTO of vulnerability management firm Qualys, told InfoWorld he believed Oracle was moving in the right direction, noting that protecting Java is more complicated than many software products, as it is a complete programming language that has to perform a range of functions that include low-level operating system tasks. Adam Gowdiak, founder of research firm Security Explorations, was less sympathetic, noting that many of the issues his company has identified violate Oracle’s own secure coding guidelines for Java.
“We found many flaws which should have been eliminated by the company at the time of a comprehensive security review of the platform prior to its release,” he told InfoWorld.
As secure design continues to be at the center of the debate over how to make Java safer, other organizations may want to evaluate their own coding processes. Using tools such as static analysis, companies can catch many vulnerabilities, while peer code review can help provide a deeper examination of ingrained security issues in existing software. Building security into their products through development processes is an important tool for vulnerability-prone vendors to reinstate confidence in their releases.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.