According to a recent report by WhiteSource there is a “substantial rise in the number of known open source security vulnerabilities across all languages over the past two years.” Though the overall number of vulnerabilities in Java has steadily decreased since 2015, the more recent spike in the number of vulnerabilities requires an explanation. We can attribute this increase to two factors.
First, there are bug bounties, a relatively new trend in which thousands of tech pros pick through a language to find vulnerabilities. These account for at least some of the increase in open source security vulnerabilities. Additionally, it’s generally assumed that threat hunters scan all languages equally, but that’s not true. As one of the most commonly used languages in web development, Java is a significant target for threat hunters. In this context, Java’s third place ranking for known vulnerabilities starts to look pretty low.
Software systems are also an order of magnitude more complicated than they were 10 years ago, which is another major factor in the increasing number of vulnerabilities found in Java and other languages. In a world where smartphone apps can be a source of infection, and where every company must have a JavaScript-enabled website, it’s no surprise that the number of website vulnerabilities has increased exponentially. Add to this the long-term shortage of cybersecurity professionals, and things start to look grim for the future of cybersecurity.
Fear not: Java developers are in a strong position when it comes to application security. With thousands of pros scanning the language for vulnerabilities, there’s a good chance we know about a good proportion of the vulnerabilities in the language. That knowledge is power.
A recent JavaWorld article offered 13 rules for developing secure Java applications. You can also find plenty of articles and white papers about implementing Java securely in specific environments, such as cloud security for Java and web app security for Java.
Magic DevOps helps with security (or should)
One way to reduce vulnerabilities in Java code is to move to a DevSecOps workflow. This type of workflow makes security a paramount concern at all stages of the development process. As developers, we often forget that our software is used (and sometimes adapted) by all parts of the organization we work for. It’s no good hardening your web apps against intrusion if your marketing team is determined to undermine your efforts. Include all of your teams in the development process, and make sure that security is a consideration for every aspect of the project.
Evaluate workflow security
You should also take a good look at the security of your own workflow. Your web apps might be secure in themselves, but one of the fastest-growing sources of vulnerability for developers is the development system itself. If your development system is hacked, it becomes a portal for injecting malicious code into your software. To avoid this, make sure you use a VPN to encrypt all of your internal communications. Also, be sure to implement encrypted data storage.