Category Archives: Java Programming

7 steps to securing Java

Java, the popular OS-independent platform and programming language, runs on just about every kind of electronic device imaginable, including computers, cell phones, printers, TVs, DVDs, home security systems, automated teller machines, navigation systems, games and medical devices.

In response to successful Java-based exploits against companies like Twitter, Facebook, Apple and Microsoft, and continued concern over “zero-day” security flaws that could allow an attacker to remotely execute malicious code that could compromise vulnerable systems., the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) has issued multiple security advisories concerning Java.

In the advisories issued to date, DHS recommends disabling Java in web browsers. In response, Oracle, which took over Java when it bought Sun, has released a number of patches, some out-of-band (earlier than scheduled), and in a recent patch made changes to how Java applets are handled within web browsers. 

In general, warnings potential security threats are nothing new and most network security managers consider them to be part of the daily IT landscape. The usual solution is to patch systems with vendor-supplied updates and follow vendor recommendations for best practices. However in this case, the advice to disable or uninstall the product, issued not by the vendor, but instead by governmental authorities and other third parties, creates an unusual set of challenges for organizations.

So, here are seven steps you can take to protect your network against Java-based exploits. Given its ubiquity, completely removing Java is probably out of the question for most organizations. But here’s a seven-step action plan that won’t necessarily guarantee security, but will help mitigate threats by creating awareness, hardening systems and reducing attack vectors.

1.  Perform an impact analysis

A good starting point is to identify where and how Java is used both inside and outside the organization. Does your organization provide Java-dependent applications that are accessed by vendors, clients and/or the general public? Unless you have already taken steps to limit the use of Java, you most likely will find it present in most Internet browsers, as part of the OS (especially certain versions of Mac OS) and in any number of popular applications. The latter is probably going to be the biggest unknown as a vast number of commercial and open source software applications are built on the Java platform. Start by ferreting out which applications use Java. Is the app business-critical? Knowing the full scope of your organization’s dependence upon Java-based apps and platforms is a necessary prerequisite to controlling risks. 

2.  Keep Java updated and patched at all times

It is of paramount importance to keep all computers and devices up to date with the latest version of Java. Oracle supports only the latest version – no security patches are available for previous versions. Obtain updates directly from Oracle to reduce the risk of code injection. Another important step is to uninstall older versions of Java manually, as simply installing the latest version does not necessarily ensure that older versions are removed. Consider limiting the use of Java-based apps to virtual machines that can be started up when needed and left unpowered when not.

Also keep in mind that some applications may use earlier versions of Java, and these could break after updating to the latest version. If your app relies on an outdated version of Java, this poses a much greater security risk and any outdated apps should be be updated or replaced.

3. Manage Java Control Panel settings

There are numerous settings available from the Java Control Panel (available on both Windows and Mac clients). These provide fairly granular control of how Java is configured on client computers from automating updates to managing security settings. Automatic updates can be configured to notify or download the latest update, but regrettably there is no current enterprise-wide capability to automatically install updates. This means manual steps are needed to ensure the latest updates are applied.

As for security settings, the last few updates of Java version 7 have been automatically set to use the ‘high’ security setting, which is designed to prompt users before running unsigned or self-signed applets. This is a change from recent versions of Java where the default was ‘medium’. From the Java Control Panel, you can also disable Java when you’re not using it, but there are some reports of unsigned and self-signed applets being allowed without prompting when you re-enable Java.

4. Harden web browsers

Wherever possible, disable Java in web browsers. If for some reason this is not an option, at least consider disabling remote access to Java applets. One solution is to use a proxy server that restricts remote Java requests, but allows them locally.

Another approach recommended by some IT administrators is to use two different browsers, one that has Java enabled for use when you absolutely need to access sites requiring Java and one for all other browsing. Enforcing this is in the enterprise might be challenging, but you could set up proxy rules that only allow one type of browser to access Java sites, while blocking others.

5.  BYOD endpoint control

In this age of BYOD, grappling with the many personal devices employees use to connect to the corporate network presents its own set of challenges. Java is widely used in mobile applications so you may want to develop corporate policies to govern how BYOD access is provided. Several of the newer ‘smart devices’ running Android, iOS, Windows Phone and Blackberry 10 operating systems do not embed Java. However, the Nokia 40 series and the Bada operating system developed by Samsung, an OS that is becoming more popular, are both Java-based. Also, it should be noted that since Java ME (Micro Edition) is restricted to JRE 1.3, it is somewhat unclear if any of the latest vulnerabilities are present in Java ME. However, by implementing endpoint control policies you can ensure that access to the enterprise network is restricted to only certain types of devices with the latest updates applied.

As mentioned in the introduction, Java is also used in a variety of other devices such as printers, security systems, payment terminals, etc. Try to identify all devices used in your organization that rely on Java and work closely with vendors to manage risks. Depending on the size of your organization, this may require a task force.

6. Review Java impacts on corporate websites and customer portals

Corporate websites are important marketing tools and frequently also a considerable source of revenue through e-commerce. If your website uses Java applets it might be time to make some changes as you don’t want to be caught with critical website functionality inoperable due to visitors having disabled Java. Also, when dealing with public end users you may encounter instances where users have not only disabled Java applets, but Javascript as well. To ensure high availability, use detection scripts to deal with this contingency and redirect customers as needed.

7.  If you are developing in Java, do so responsibly

If you are developing in Java, don’t add to the industry-wide problems by producing unsigned or self-signed apps. Sign all apps using a trusted certificate authority and adhere to other industry best practices for Java development. In an effort to encourage developers to use trusted certificate authorities, Oracle’s Java 7 Update 21 raises more red flags to users about the security risk of running unsigned applets.

Some third-party solutions such as the Entrust Authority Security Toolkit for the Java Platform allow Java developers to add security-related features like encryption and digital signatures to their applications.

Conclusion

Of late, Oracle has significantly stepped up its efforts to correct flaws and vulnerabilities in its Java platforms. However this is playing out as a game of cat and mouse, as new exploits are discovered sometimes within hours of the latest patch. The rapid change cycle is also causing other collateral consequences. Some users report being able to run unsigned applets in IE9 on Windows 7 even if the settings are ‘high’ or ‘super high’. Others are reporting issues with legacy applications not running properly under the latest releases of Java 7. Suffice it to say that many Java platforms and applications are in a state of flux, with  security concerns remaining. Hence the need to keep a watchful eye. Oracle declined comment on the topics in this article.

Source: http://www.networkworld.com/news/2013/051413-java-securing-269724.html?page=1

Did you like this? Share it:

Java Application Development and it Major Benefits

Java is a computer programming language, which is complex and object oriented. The Java application development is made after using some concepts from C, C++, Smalltalk and some other computer programming languages.  Java was developed originally by James Gosling (Sun Micro System). It was released in the market in 1995. It is the most versatile language for computer programming as well as for the development of mobile applications.

There are some benefits of Java:

•  It is open-source. It reduces the developer’s expense on the Java application development. Its openness helps the developer in developing the applications without paying any subscription payment for the purpose of Java application development.

•  The APIs of Java are easily accessible. It provides an ease of accessing the APIs of Java for building apps and submission of the apps to the app stores.

•  It uses the stack management system for the object allocation. Stack management system is meant to have a Last-In-First-Out allocation of the objects in the programs of Java.

•  The apps developed with Java have a dynamic and attractive nature. All the codes used in the development of the Java apps are arranged in some units which are object oriented.

•  Java programming language has a special feature of automatic garbage collection. It collects the unused codes and allocates them in the bean which makes it very fast, smooth and unique in comparison of other languages.

•  This language is highly secured and safe because it allows the users to download the non-trusted programming codes and use them in a fully secured way; because of this feature the infected files do not harm the application.

•  Java is very versatile and can be used on any platform which makes it platform independent and a multi-platform supporting language.

•  This language provides a facility of reusability of codes.

The developer can reuse the codes for redeveloping any other app.

•  It has the best designed and multi-tasking APIs which reduces the hassles and provides an ease of developing application.

•  Java provides an ease of distributive computing as it has the inherently integrated network capability.

•  It is multitasking and multi-threaded. It can perform several tasks simultaneously within a program. If any developer is running a program he can simultaneously run another application if he wishes to.

Above mentioned are some of the top benefits brought to you by experts in mobile application development and web application development to provide the best information to the readers.

Source: http://www.spyghana.com/java-application-development-and-it-major-benefits/

Did you like this? Share it:

Oracle to Spring developers: Convert to Java EE

Oracle is promoting conversions from the popular Spring Framework for Java development to Java EE (Enterprise Edition). But the founder of Spring counters that these technologies can work together and cites a financial incentive for Oracle’s campaign.

Oracle has been promoting these migrations in a series of Web presentations going on for many months. A Java Spotlight posting this week pertaining to migrations to Java EE 6 links to an interview with Paul Bakker and Bert Ertman from Luminus Technologies in the Netherlands. They argue Spring no longer has advantages over enterprise Java that it might have had previously.

Some users have been holding onto beliefs about enterprise Java inadequacies from several years ago based on books from Spring Framework inventor Rod Johnson, said Bakker, senior software engineer at Luminis. "But nowadays, when we have Java EE 5 and Java EE 6, we [have] completely revised programming models, which are very lightweight and POJO-based (plain old Java objects)," Bakker said. "It’s about time to re-educate people that Java EE no longer stands for Java Evil Edition, but it’s actually quite ready to build some very good enterprise applications with."

Dependency injection, popularized in Spring and used for linking related objects, is now enabled in Java EE 5, the Luminis technologists stressed. Lightweight, aspect-oriented programming is now implemented in Java as well, they argued. But Johnson, in an emailed response to questions, dismissed the notion of a conflict between Java EE and Spring, calling it "fictitious." Spring and Java EE 6, Johnson said, "can work very nicely together."

"The ‘Java EE 6 does away with the need for Spring’ argument is essentially commercially motivated," Johnson said "Spring has reduced the need for traditional application servers like Oracle WebLogic and has enabled users to choose lighter-weight infrastructure. While Java EE 6 is an improvement on previous versions of Java EE, Spring offers significant additional value."

Spring works in a broader set of scenarios than Java EE 6, thus giving Spring users greater choice, said Johnson. "They may not wish to use a Java EE application server; even [if] they are on Java EE, they may not be running Java EE 6; they may be in a cloud environment where Java EE is not available; they may not be using any app server; or they may wish to be able to deploy in different scenarios. Spring’s portability is highly valuable."

Spring’s ecosystem solves a wider range of problems than Java EE, such as integration, batch, and nonrelational data, Johnson said. Fine-grained security is supported as well, he said. "Using the Spring component model can offer many other benefits."

Elsewhere in the Java EE realm, Oracle is looking to the planned Java EE 7 release to extend transactional capabilities of Enterprise JavaBeans and its transactional semantics, according to Oracle’s Arun Gupta. "What we’re doing in Java EE 7 is we are abstracting the semantics so they can be more widely applicable," for example, to Managed Beans or CDI Beans, Gupta said in Java Spotlight. With CDI Managed Beans, a managed bean is implemented by a Java class, called a bean class.

A top-level Java class is a managed bean if it is defined as so by any other Java EE technology specification or meets conditions such as not being a nonstatic inner class, according to a Java EE 6 tutorial. Java EE 7 is expected to be released this summer and featured in the GlassFish Server 4 application server.

Source:http://www.infoworld.com/d/application-development/oracle-spring-developers-convert-java-ee-195158?page=0,1

Did you like this? Share it:

Java updates for Flashback avoid OS X Tiger and Leopard

To help tackle the recent Flashback malware threat, Apple released a couple of updates for the Java runtime in OS X to bring it up to the latest Java release (version 1.6.0_31), which patches the vulnerability being exploited.

The updates are available for OS X 10.6 and 10.7 systems that have Java installed; you can update your system by using the Software Update utility in the Apple menu. However, so far there have been no updates to patch older versions of OS X such as Tiger and Leopard, which come with Java runtimes installed and therefore are vulnerable to Flashback.

When OS X Lion was released, Apple stopped supporting prior versions of OS X, so it’s not very likely that Apple will release an update to patch Java on these systems. Therefore, if you use an older Mac you’ll need to take alternative steps to protect it.

1. Upgrade your Mac

If you are running an Intel-based Mac, you should be able to upgrade to at least OS X Snow Leopard, and apply the latest Java patch. While Apple does not sell Snow Leopard anymore, you should be able to find it online, for example through Amazon or eBay.

2. Disable Java

If you can’t upgrade your system, then for now the best option is to disable Java. As mentioned in prior coverage of Flashback, you can do this through the Java Preferences utility or the preferences of your Web browser.

Unfortunately, for now, if you are still using an older PowerPC-based Mac system, then to protect against Flashback you will need to disable Java, as these systems can only be upgraded to a maximum of OS X 10.5.8. While the Flashback malware is suspected to have only been built to attack Intel-based systems, that isn’t known for sure.

In OS X 10.4 and earlier there is no option to disable the Java runtime in the Java Preferences utility; however, you can still do so within your Web browser. This will allow local Java applications to run, but will prevent Web-based applets from running.

Read More:

http://reviews.cnet.com/8301-13727_7-57411535-263/java-updates-for-flashback-avoid-os-x-tiger-and-leopard/

Did you like this? Share it:

Sun Java SE Runtime Environment 6.0 Update 24

 

Java 2 Platform Standard Edition (J2SE) software is the premier platform for rapidly developing and deploying secure, portable applications that run on server and desktop systems of many operating systems. Java allows you to play online games, chat with people around the world, calculate your mortgage interest, and view  images in 3D.

Java SE 6 is the current major release of the Java SE platform, with full support from NetBeans IDE 5.5. Sun endeavors to foster the highest level of transparency and collaboration on the platform with the Java community through Project JDK 6, resulting in the following key features. Sun’s Java Multi-Platform Support, Training, and Certification can provide you the peace of mind to develop and deploy Java solutions with confidence.

Visit java.sun.com to download Java SE Runtime Environment

Source: http://www.alltechnologynews.com/sun-java-se-runtime-environment-6-0-update-24.html

Did you like this? Share it:

Open source Java in 2011

 

“Together with Oracle, we’ll drive the innovation pipeline to create compelling value to our customer base and the marketplace.” said Jonathan Schwartz, Sun’s CEO. Sun Microsystems was purchased by Oracle around one year ago. This purchase became either expanding opportunity for some developers; or it changed into predicament s for others developers.

For example in November, Apple® and Oracle announced the open source OpenJDK project for Mac OS® X. Later, IBM agreed to join on this project as well.  “We are excited to welcome Apple as a significant contributor in the growing OpenJDK community,” said Hasan Rizvi, Oracle’s senior vice president of Development. Apple will be providing a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client. Oracle in return will provide Mac OS X with Java SE 7 and future version of Java to Apple.

However, the purchase of Sun Microsystems might not always be a plus for every company. For instance, Oracles sued Google for breaching the open source licenses. Google uses Java platform for development of their android mobile phone. Google claimed that, “We are disappointed Oracle has chosen to attack both Google and the open source Java community with this baseless lawsuit.”

Whether it is good or bad, there might be possible legality changes with many services that depend on open source Java in 2011.

Source: http://www.apple.com/pr/library/2010/11/12openjdk.html

Source: http://www.wired.com/threatlevel/2010/08/oracle-attacks-opensource/

Did you like this? Share it:

Terracotta dumps Big Java’s garbage problem

By Gavin Clarke

The challenge of garbage collection is almost as old as Java itself. Java Virtual Machines (JVMs) store programs’ objects in a heap that is cleared from time to time to free up memory.

The process was inserted so that programmers did not have to manually program the need to free up allocated memory. It provides an automated, periodic sweep.


However, the process can slow apps down just when you don’t need them to drag as the application takes time out from normal execution. Historically, this problem was limited to real-time operations but can now show up in server farms running large web properties, where customers need instant gratification – such as in social networking, media or gaming.

As servers with hundreds of gigabytes of memory have become the norm, the tendency has been to tackle garbage collection by increasing the heap size. Terracota, an open source clustering specialist, argues that this simply makes the application pause even longer – creating a “serious impact” on performance.

Garbage collection in memory

Terracotta has customers who try to keep the garbage heaps of their big or growing apps small by putting them on small servers and partitioning using VMware.

Terracotta’s riposte is to shove garbage collection into memory. In-memory processing is used elsewhere in software to speed data processing and application performance. Terracotta says also brings performance-enhancing gains to the heap and garbage collection.

The company today announces the general availability of BigMemory for its Ehcache caching program. BigMemory can do memory management and bypasses Java’s own heap. It provides an off-heap in-memory store for up to 256GB of in-process, off-heap memory in a single JVM.

BigMemory is designed to stop unacceptable slow downs in Java apps that can happen during garbage collection, while also letting you scale Java applications without chopping the app into separate VM instances or continuing to run your apps on lots of “small” servers.

Terracotta told The Reg that one large beta in France has cut 25 instances of VMware to just two. Using BigMemory means another customer has reduced the amount of time taken to physically tune its application’s garbage collection from three months to three hours.

BigMemory is an add-on to Enterprise Ehcache, the enterprise caching product based on the Ehcache project whose IP and brains Terracotta bought in 2009. The project is used in about 70 per cent of Java caching. Enterprise Ehcache works with Hibernate, Spring, Tomcat, Oracle’s WebLogic and IBM’s WebSphere.

Did you like this? Share it:

Java Still At Number One

by James Sugrue

Java remains the most popular programming language. At least that’s the case if you follow the latest TIOBE index results which show Java remaining at the top spot. The latest chart is a big indication of the popularity of mobile app development, and the trends that have surrounded this branch of software over the last few months.

Android’s surge in popularity has surely been a contributing factor to Java’s continued dominance in the index. You’ll see that the main movement in the index has been Objective-C, which has jumped 2.35%, no doubt as a result of the update to Apple’s terms.  Another side effect to this is that Javascript and Ruby have both dropped – both languages are popular for cross-compilation approaches to iPhone development.

Did you like this? Share it: