Re: Article: Why you can't dump Java (even though you want to)
On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
On 12-05-08 12:51 PM, Gene Wirchenko wrote:
This was in the morning's trade articles:
www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld
I tend to agree with what Grimes wrote on the second page of his
article. As he pointed out, popular software always gets exploited. Part
of it is due to defects in the software, so in Java in this case, but a
major part of it for a programming language and platform (JVM) is how
people code in it. How many Java programmers have genuinely absorbed the
lessons in "Secure Coding Guidelines for the Java Programming Language",
or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
percent? No way is it any higher than that.
I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes
A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.
B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.
Arne