Why is Java insecure? Buggy or vulernable open source components

[Mira Yurizaki]

http://www.zdnet.com/article/why-is-java-so-insecure-buggy-open-source-components-take-the-blame/

 

Veracode, a computer security company in the US, examined a bunch of Java apps to determine what made them vulnerable. It turns out 97% of all apps it examined contained at least one package with a known vulnerability. The most popular one is the Apache Commons Collection:

 

Quote

"The Java deserialization vulnerability in Apache Commons Collections is an interesting example of an open-source, third-party component vulnerability, because it went from unknown to critical and highly exploitable, and because it was widely used in a variety of standard 'infrastructure' applications; web servers, application servers, CI servers," noted Veracode.

 

"It's worth noting that the issue was not just in the infrastructure applications, but in any application that uses Apache Commons Collections v.3.0 - 3.2.1 or 4.0. Addressing this vulnerability requires a broader response than just patching servers; it requires visibility into the component supply chain for all your applications."

 

[tlink]

you forgot this:

 

Quote

• Your thread must include some original input to tell the reader why it is relevant to them, and what your personal opinion on the topic is.

i think java is insecure purely because of how old it is while it tries to remain backwards compatible. maybe also because its a very abstract language? i dunno, i don't know enough about java compiling and coding to have a good opinion on this.

[Bsmith]

java sometimes is exactly like flash, outdated, overused and waiting to die off.

no matter how useful it sometimes is, backwards compatibility can kill it if you need efficient and save work.

[AlTech]

55 minutes ago, Bsmith said:

java sometimes is exactly like flash, outdated, overused and waiting to die off.

no matter how useful it sometimes is, backwards compatibility can kill it if you need efficient and save work.

I think Java needs a replacement without all the backwards compatible code.

 

C# would be awesome except you can't use it too much on Linux or Mac. It's practically Windows exclusive.

[patrickjp93]

40 minutes ago, AluminiumTech said:

I think Java needs a replacement without all the backwards compatible code.

 

C# would be awesome except you can't use it too much on Linux or Mac. It's practically Windows exclusive.

C++ 11 onward is a perfectly fine replacement. It has the largest community both open and closed source with all the high-level abstraction and low-level access you could want. It also doesn't have all the overhead of virtual interpreted languages such as Java or the .NET family.

[You_are_a_cunt]

Aren't Opens Source Components part of the selling point for Java?

 

(I absolutely hate Java both as an end-user and as someone who worked with Java development)

 

.NET is teh future.

 

Unfortunately Java won't go away anytime soon because of legacy applications in corporations that aren't willing to pay for the transition to something more stable and efficient.

[Bsmith]

46 minutes ago, patrickjp93 said:

C++ 11 onward is a perfectly fine replacement. It has the largest community both open and closed source with all the high-level abstraction and low-level access you could want. It also doesn't have all the overhead of virtual interpreted languages such as Java or the .NET family.

 

sounds good, does it also allow for software like filezila etc? that stuff is actually the only reason for me to have Java installed

[patrickjp93]

48 minutes ago, Bsmith said:

 

sounds good, does it also allow for software like filezila etc? that stuff is actually the only reason for me to have Java installed

As in a file share? Yes. I have never personally used filezilla, but Google Drive and Drop Box are restful C++ services.

[tlink]

1 hour ago, Bsmith said:

 

sounds good, does it also allow for software like filezila etc? that stuff is actually the only reason for me to have Java installed

the FTP protocol is not dependent on any language, some are just easier to code them on than others. you can run an ftp client or server from almost anything (although its use is debatable).

 

https://en.wikipedia.org/wiki/File_Transfer_Protocol

[Remixt]

5 hours ago, tlink said:

you forgot this:

 

i think java is insecure purely because of how old it is while it tries to remain backwards compatible. maybe also because its a very abstract language? i dunno, i don't know enough about java compiling and coding to have a good opinion on this.

Backwards compatibility doesn't really fit into that, Java is actually good about fixing depreciated code. The main problem in my opinion is the accessibility Java provides. The other end of that coin is the lack of control Java gives to progammers. This leads to problems in having the ability to patch security issues on a case by case basis in some instances, especially if it's a pre-compile time issue. An example is the lack of memory control. If you somehow get a memory leak in Java there isn't a way to fix it with a buffer or something simple. It would require utilizing a different library or rewriting the entire code block in a different way.

[tlink]

5 hours ago, Remixt said:

Backwards compatibility doesn't really fit into that, Java is actually good about fixing depreciated code. The main problem in my opinion is the accessibility Java provides. The other end of that coin is the lack of control Java gives to progammers. This leads to problems in having the ability to patch security issues on a case by case basis in some instances, especially if it's a pre-compile time issue. An example is the lack of memory control. If you somehow get a memory leak in Java there isn't a way to fix it with a buffer or something simple. It would require utilizing a different library or rewriting the entire code block in a different way.

so its mainly due to how abstract java language is if i understood that correctly?

[Remixt]

18 minutes ago, tlink said:

so its mainly due to how abstract java language is if i understood that correctly?

That's the short of it pretty much

[N0rm]

Abstraction is necessary for portability, and that's a big deal in enterprise. Many companies don't want to risk expensive software being tied to a single OS.

[laminutederire]

Java probably won't die soon, but probably will be moved to different use.

Like I saw a guy developing a 30 something KB OS designed for Internet of things and embedded systems. Didn't look into it that much,  but apparently java flexibility allowed them to build something pretty efficient for embedded systems. (They coded it without packages)

[Mira Yurizaki]

9 minutes ago, laminutederire said:

Java probably won't die soon, but probably will be moved to different use.

Like I saw a guy developing a 30 something KB OS designed for Internet of things and embedded systems. Didn't look into it that much,  but apparently java flexibility allowed them to build something pretty efficient for embedded systems. (They coded it without packages)

I'm curious about this because why would you use a language that requires to run essentially a VM for an embedded system?

[Colonel_Gerdauf]

3 hours ago, M.Yurizaki said:

I'm curious about this because why would you use a language that requires to run essentially a VM for an embedded system?

A VM removes dependencies for a specific set of hardware, something embedded systems are very picky on, so that allows a Java program that was compiled in a modern desktop to work everywhere from a telephony system to a airport billboard and so on. The same JAR or WAR works in more than one system, which cannot be said for other languages such as C++. The caveat here is the run-time of the VMs need to match in order for this to work, which often ends up on a reliance in horribly outdated Java versions.

[Mira Yurizaki]

1 minute ago, Colonel_Gerdauf said:

A VM removes dependencies for a specific set of hardware, something embedded systems are very picky on, so that allows a Java program that was compiled in a modern desktop to work everywhere from a telephony system to a airpot billboard and so on. The same JAR or WAR works in more than one system, which cannot be said for other languages such as C++. The caveat here is the run-time of the VMs need to match in order for this to work, which often ends up on a reliance in horribly outdated Java versions.

Well I understand that, but to me, adding a VM to run an OS to run an application on an embedded system to me is "lolwhy?"

 

But I guess it depends on how much power is available. I'm used to thinking embedded systems in the range of Cortex M3/M4 or using old processor cores.

[Colonel_Gerdauf]

2 hours ago, M.Yurizaki said:

Well I understand that, but to me, adding a VM to run an OS to run an application on an embedded system to me is "lolwhy?"

 

But I guess it depends on how much power is available. I'm used to thinking embedded systems in the range of Cortex M3/M4 or using old processor cores.

Because for each one use case, there are multiple embedded systems to deal with. Think about it like this: would you rather write an application that simply works while outsourcing the compatibility work to the higher-ups in the tech world, or would you rather have to learn about the kinks of each individual unit that you will likely never see again and program your way through them?

 

Flexibility is a big thing in the enterprise world, because with flexibility you save time and therefore save money.

[themctipers]

cough cough minecraft.

[AlTech]

1 minute ago, themctipers said:

cough cough minecraft.

I'm pretty sure Minecraft doesn't use open source components. It's just buggy proprietary code.

 

Moving on from this, I feel like we need open source games .

[vanished]

4 minutes ago, themctipers said:

cough cough minecraft.

wat?  Java is insecure because of Minecraft?

[AlTech]

2 minutes ago, Ryan_Vickers said:

wat?  Java is insecure because of Minecraft?

I'm sure he meant that Minecraft was insecure cos of Java........

[Guest]

4 minutes ago, AluminiumTech said:

I'm pretty sure Minecraft doesn't use open source components. It's just buggy proprietary code.

 

Moving on from this, I feel like we need open source games .

Half Life 2, CSS

[AlTech]

2 minutes ago, dexxterlab97 said:

Half Life 2, CSS

As in, MORE open source games which are RECENT.

[suicidalfranco]

7 hours ago, AluminiumTech said:

As in, MORE open source games which are RECENT.

Battle for Wesnoth

0AD