Posted by:
admin
11 years, 3 months ago
Imagine a mono-culture where you can write in one programming language and one language only and it runs anywhere. Such a language makes life a lot easier for developers and software vendors. It also would make life easier for security people. Instead of worrying about the latest holes in PHP, Ruby, Python and Java, you only have to patch one. All the eggs are in one basket, but, man, are we focused on that basket.
I bring up this thought experiment because so often the infosec community seems to suggest "throw out the baby and the basket it is in". See Jack Daniel's blog post for a good discussion about that.
I worry about the lack of clarity around the issue. Most of the attacks are exploiting the presence of Java in the browser but most of the criticism is against java itself. I see this disinformation as bad for the industry. First, Java on the server-side has proven itself. Second, the JRE is a valuable method to deliver software across Windows, OS X and Linux variants. Finally, if you intend to support mobile platforms, Java is required for the Android and Blackberry platforms.
Ok new question, what cross-platform delivery engine is *not* chock full of vulns where we *don’t* put the onus on the user?
The answer, I think is none. But we have a good start in Java, so why not focus on fixing it? Eventually we hope to move to a combination of HTML5 and native code that minimizes the changes between platforms. But then, HTML5 will have to be secure enough. (For varied definitions of 'enough'.) That will take time. But it is a worthwhile effort. And the best situation would not be a mono-culture, but rather multiple mature & secure options.
So, my recommendations:
- Continue to put pressure on Oracle to increase the security and 'securabilty' of java in various environments.
- Support the OpenJDK effort if you think they can do better than Oracle.
- Be clear in what the security issues are so problems can be solved.
- Know that HTML5 is coming as a replacement and help the browser vendors secure it. Let's not go through this again.
We need to clearly state the issue so it can be addressed. Yelling 'pwnage' doesn't do anyone any good.
Thanks to hrbmstr and elizmartin for inspiration.
Share on Twitter Share on FacebookRecent Posts
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
Archive
2024
- January (1)
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)