Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #14469

Re: Article: Why you can't dump Java (even though you want to)

Date 2012-05-10 20:26 -0400
From Arne Vajhøj <arne@vajhoej.dk>
Newsgroups comp.lang.java.programmer
Subject Re: Article: Why you can't dump Java (even though you want to)
References <t5giq7l185ms1k9qs9pb4mknj14tfpbij5@4ax.com> <C8fqr.2056$oK2.610@newsfe13.iad> <4fa9c4a5$0$287$14726298@news.sunsite.dk> <0Uzqr.17$XG.8@newsfe09.iad>
Message-ID <4fac5ccd$0$288$14726298@news.sunsite.dk> (permalink)
Organization SunSITE.dk - Supporting Open source

Show all headers | View raw

On 5/9/2012 3:50 PM, Arved Sandstrom wrote:
> On 12-05-08 10:13 PM, Arne Vajhøj wrote:
>> On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
>>> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>>>        This was in the morning's trade articles:
>>>>
>>>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>>>>
>>>> InfoWorld Home / Security / Security Adviser
>>>> May 08, 2012
>>>> Why you can't dump Java (even though you want to)
>>>> So many recent exploits have used Java as their attack vector, you
>>>> might conclude Java should be shown the exit
>>>> By Roger A. Grimes | InfoWorld
>>>>
>>
>>> I tend to agree with what Grimes wrote on the second page of his
>>> article. As he pointed out, popular software always gets exploited. Part
>>> of it is due to defects in the software, so in Java in this case, but a
>>> major part of it for a programming language and platform (JVM) is how
>>> people code in it. How many Java programmers have genuinely absorbed the
>>> lessons in "Secure Coding Guidelines for the Java Programming Language",
>>> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
>>> percent? No way is it any higher than that.
>>
>> I think we need to distinguish between:
>> A) malicious applet code that gets unauthorized access to desktop
>>     PC's when their users just browse the internet
>> B) hackers that break into a Java web app using various
>>     security holes
>>
>> A is what I assume the article is about. And the security
>> problems is caused by bugs in JVM and Java runtime.
>>
>> B is caused by bugs introduced by the Java web app
>> developers. And this seems to be what that coding
>> standard try to address.

> Well, Grimes mentioned everything: Java apps as well as applets, users
> insisting on using old Java versions because they believe their apps
> need it [1], people not knowing what version they are running, unpatched
> Java etc. Which is why I seized the opportunity to bitch about insecure
> coding...which is ultimately the root of the problem anyway.
>
> But you're right, it's mostly defects in Java runtimes that Grimes is
> talking about.
>
> One point about the secure coding guidelines - let's not characterize
> that as "web app" coding. All those guidelines are about secure coding
> for Java, period. If I were a Java EE web app developer I'd read the Sun
> now Oracle secure coding guidelines for Java first, then something like
> OWASP.

Good point.

The advice are applicable to all types of apps.

Systems connected to the internet is just a bit more let us
say expected to be attacked.

Arne

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 08:51 -0700
  Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 17:14 -0300
    Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 15:36 -0500
      Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:51 -0700
        Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:01 -0500
          Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 14:15 -0700
            Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:41 -0500
              Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:19 -0700
              Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 15:21 -0700
          Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:05 -0700
        Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 19:12 -0300
          Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 19:05 -0700
        Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:03 -0400
          Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:52 -0700
            Re: Article: Why you can't dump Java (even though you want to) Eric Sosman <esosman@ieee-dot-org.invalid> - 2012-05-09 06:58 -0400
              Re: Article: Why you can't dump Java (even though you want to) Lew <lewbloch@gmail.com> - 2012-05-09 12:04 -0700
            Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-09 10:06 -0700
            Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:20 -0400
              Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-11 09:09 +0000
                Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-11 09:41 -0700
                Re: Article: Why you can't dump Java (even though you want to) "javax.swing.JSnarker" <gharriman@boojum.mit.edu> - 2012-05-12 01:30 -0400
                Re: Article: Why you can't dump Java (even though you want to) Sleepy the Dwarf <std75821@gmail.com> - 2012-05-13 08:40 -0400
                Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:37 -0400
                Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-20 20:25 -0700
                Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:31 +0000
                Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:35 -0400
                Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:26 +0000
                Re: Article: Why you can't dump Java (even though you want to) Kev Warren <k.warren312@noobnot.notnoob.org> - 2012-05-21 17:36 -0400
      Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:59 -0700
        Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:04 -0400
          Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:54 -0700
            Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:23 -0400
      Re: Article: Why you can't dump Java (even though you want to) Joshua Maurice <joshuamaurice@gmail.com> - 2012-05-08 15:32 -0700
      Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 16:36 -0700
    Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:13 -0400
      Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-09 16:50 -0300
        Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:26 -0400
  Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:19 -0400
  Re: Article: Why you can't dump Java (even though you want to) Roedy Green <see_website@mindprod.com.invalid> - 2012-05-09 14:42 -0700
    Re: Article: Why you can't dump Java (even though you want to) Joshua Cranmer <Pidgeot18@verizon.invalid> - 2012-05-10 17:07 -0500
    Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:19 -0400
      Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:33 -0400

csiph-web