Skip to main content

The boy who cried "PWNAGE"!

Imagine a mono-culture where you can write in one programming language and one language only and it runs anywhere. Such a language makes life a lot easier for developers and software vendors. It also would make life easier for security people. Instead of worrying about the latest holes in PHP, Ruby, Python and Java, you only have to patch one. All the eggs are in one basket, but, man, are we focused on that basket.

I bring up this thought experiment because so often the infosec community seems to suggest "throw out the baby and the basket it is in". See Jack Daniel's blog post for a good discussion about that.

I worry about the lack of clarity around the issue. Most of the attacks are exploiting the presence of Java in the browser but most of the criticism is against java itself. I see this disinformation as bad for the industry. First, Java on the server-side has proven itself. Second, the JRE is a valuable method to deliver software across Windows, OS X and Linux variants. Finally, if you intend to support mobile platforms, Java is required for the Android and Blackberry platforms.

As Elizabeth Martin asked:

Ok new question, what cross-platform delivery engine is *not* chock full of vulns where we *don’t* put the onus on the user?

The answer, I think is none. But we have a good start in Java, so why not focus on fixing it? Eventually we hope to move to a combination of HTML5 and native code that minimizes the changes between platforms. But then, HTML5 will have to be secure enough. (For varied definitions of 'enough'.) That will take time. But it is a worthwhile effort. And the best situation would not be a mono-culture, but rather multiple mature & secure options.

So, my recommendations:

  • Continue to put pressure on Oracle to increase the security and 'securabilty' of java in various environments.
  • Support the OpenJDK effort if you think they can do better than Oracle.
  • Be clear in what the security issues are so problems can be solved.
  • Know that HTML5 is coming as a replacement and help the browser vendors secure it. Let's not go through this again.

We need to clearly state the issue so it can be addressed. Yelling 'pwnage' doesn't do anyone any good.

Thanks to hrbmstr and elizmartin for inspiration.

Current rating: 1

Recent Posts







RSS / Atom