Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.programmer > #14453
| From | Arved Sandstrom <asandstrom3minus1@eastlink.ca> |
|---|---|
| Newsgroups | comp.lang.java.programmer |
| Subject | Re: Article: Why you can't dump Java (even though you want to) |
| References | <t5giq7l185ms1k9qs9pb4mknj14tfpbij5@4ax.com> <C8fqr.2056$oK2.610@newsfe13.iad> <4fa9c4a5$0$287$14726298@news.sunsite.dk> |
| Message-ID | <0Uzqr.17$XG.8@newsfe09.iad> (permalink) |
| Organization | Public Usenet Newsgroup Access |
| Date | 2012-05-09 16:50 -0300 |
On 12-05-08 10:13 PM, Arne Vajhøj wrote: > On 5/8/2012 4:14 PM, Arved Sandstrom wrote: >> On 12-05-08 12:51 PM, Gene Wirchenko wrote: >>> This was in the morning's trade articles: >>> >>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622 >>> >>> InfoWorld Home / Security / Security Adviser >>> May 08, 2012 >>> Why you can't dump Java (even though you want to) >>> So many recent exploits have used Java as their attack vector, you >>> might conclude Java should be shown the exit >>> By Roger A. Grimes | InfoWorld >>> > >> I tend to agree with what Grimes wrote on the second page of his >> article. As he pointed out, popular software always gets exploited. Part >> of it is due to defects in the software, so in Java in this case, but a >> major part of it for a programming language and platform (JVM) is how >> people code in it. How many Java programmers have genuinely absorbed the >> lessons in "Secure Coding Guidelines for the Java Programming Language", >> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1 >> percent? No way is it any higher than that. > > I think we need to distinguish between: > A) malicious applet code that gets unauthorized access to desktop > PC's when their users just browse the internet > B) hackers that break into a Java web app using various > security holes > > A is what I assume the article is about. And the security > problems is caused by bugs in JVM and Java runtime. > > B is caused by bugs introduced by the Java web app > developers. And this seems to be what that coding > standard try to address. > > Arne > Well, Grimes mentioned everything: Java apps as well as applets, users insisting on using old Java versions because they believe their apps need it [1], people not knowing what version they are running, unpatched Java etc. Which is why I seized the opportunity to bitch about insecure coding...which is ultimately the root of the problem anyway. But you're right, it's mostly defects in Java runtimes that Grimes is talking about. One point about the secure coding guidelines - let's not characterize that as "web app" coding. All those guidelines are about secure coding for Java, period. If I were a Java EE web app developer I'd read the Sun now Oracle secure coding guidelines for Java first, then something like OWASP. AHS 1. And we've had that conversation a number of times in various threads. -- Never interrupt your enemy when he is making a mistake. --Napoleon
Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 08:51 -0700
Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 17:14 -0300
Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 15:36 -0500
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:51 -0700
Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:01 -0500
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 14:15 -0700
Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:41 -0500
Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:19 -0700
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 15:21 -0700
Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:05 -0700
Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 19:12 -0300
Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 19:05 -0700
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:03 -0400
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:52 -0700
Re: Article: Why you can't dump Java (even though you want to) Eric Sosman <esosman@ieee-dot-org.invalid> - 2012-05-09 06:58 -0400
Re: Article: Why you can't dump Java (even though you want to) Lew <lewbloch@gmail.com> - 2012-05-09 12:04 -0700
Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-09 10:06 -0700
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:20 -0400
Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-11 09:09 +0000
Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-11 09:41 -0700
Re: Article: Why you can't dump Java (even though you want to) "javax.swing.JSnarker" <gharriman@boojum.mit.edu> - 2012-05-12 01:30 -0400
Re: Article: Why you can't dump Java (even though you want to) Sleepy the Dwarf <std75821@gmail.com> - 2012-05-13 08:40 -0400
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:37 -0400
Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-20 20:25 -0700
Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:31 +0000
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:35 -0400
Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:26 +0000
Re: Article: Why you can't dump Java (even though you want to) Kev Warren <k.warren312@noobnot.notnoob.org> - 2012-05-21 17:36 -0400
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:59 -0700
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:04 -0400
Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:54 -0700
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:23 -0400
Re: Article: Why you can't dump Java (even though you want to) Joshua Maurice <joshuamaurice@gmail.com> - 2012-05-08 15:32 -0700
Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 16:36 -0700
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:13 -0400
Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-09 16:50 -0300
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:26 -0400
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:19 -0400
Re: Article: Why you can't dump Java (even though you want to) Roedy Green <see_website@mindprod.com.invalid> - 2012-05-09 14:42 -0700
Re: Article: Why you can't dump Java (even though you want to) Joshua Cranmer <Pidgeot18@verizon.invalid> - 2012-05-10 17:07 -0500
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:19 -0400
Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:33 -0400
csiph-web