Java security is an important topic for all businesses that use Java applications. Java Champion Simon Ritter takes a deep dive into the JDK and the potential shortcomings of not keeping your applications up to date, as well as why it’s essential to know the difference between critical patch updates (CPUs) and patch set updates (PSUs).

A little over a year ago, in April 2019, the way most Java users accessed updates for the JDK changed. The reason for this was a combination of changes made by Oracle to how the JDK is developed and the licensing terms of the Oracle JDK.

The Oracle JDK 11 and Oracle JDK 8 (from update 211) now use the Oracle Technology Network License Agreement. This limits free use to only four cases:

  1. Personal use (laptop or desktop for personal applications)
  2. Development use
  3. Oracle approved product use
  4. Oracle cloud infrastructure use

For all other cases, a Java SE subscription must be purchased from Oracle.

**SEE ALSO: **Type-safe Unit Expressions for Java (and you)

This has required users to make decisions about their JDK deployment strategy. One such approach is “well, it works fine on the JDK we have now; let’s just stick with that”.

There is an obvious flaw to this, which is the effect this decision will have on the security of applications.

Ever since people started developing software, other people have been trying to find ways to use it in ways not originally intended. This is often for malicious goals such as stealing credit card numbers or user’s identities. We use the term hacker to describe someone who is able to subvert computer security. There are a myriad of ways that hackers use to achieve their goals; from fooling people into revealing confidential information (phishing) to sophisticated manipulation of software through techniques like buffer overruns.

Unfortunately, the more complex a piece of software, the more likely there is to be a vulnerability that hackers can exploit. The JDK is a very complex piece of software and, as such, may contain vulnerabilities.

As vulnerabilities in software are discovered, they are normally recorded as a Common Vulnerability and Exposure (CVE). The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the CVE database. Each CVE, identified by a unique number, has a textual description of the vulnerability.

#articles #java #keeping your java applications secure #java applications #java applications secure

Keeping Your Java Applications Secure
1.10 GEEK