Traenk muses over security features versus security readiness...
SC Magazine is one of those must-have subscriptions for any career in Information Security/Risk Management. In a recent article, we get a fast view of Java's security vulnerabilities and Oracle's plans to improve Java security.
And oh my, what a story...
Java's list of security features was all the rage, back in the day. In the '90's, no one knew what a virtual machine was, but everyone wanted one. Variable allocation was sure to prevent buffer overflows. Platform agnostic technology made the "Write Once, Run Everywhere" promise a sure thing.
Security features require secure coding and secure design details. Security, to be effective, must be injected into all components of the platform, including the documentation engine. Java, like so many other platforms before it, believed their own press.
(Is that the issue? I'm not sure. I welcome your thoughts.)
The hacking community takes great joy when proving your own work's true security abilities. Whether Adobe PDFs, Windows Screensavers, and now, Java plugins; the hacking community will perform their own assessment, one more thorough than any press release's preparation.
Is Java support still an important part of our website experience, now with HTML 5 ruling the once Flash-y effects? I'm not sure. But I have big technical doubts that HTML 5 could have coded its performance and security goals without studying the Java experience. Here's hoping everyone pays better attention to past failings to prevent future hacks to applications.