How Secure is Java?

Java is often associated with security vulnerabilities. Should one keep one’s fingers off this language? What speaks for the technology? Let’s give it a good look together.

Java can be regarded as the whipping boy of programming languages. Some are desperately looking to learn it, others would like to see it fail. I came into contact with the technology while I was still studying – a long time ago, when others thought of the word Java as a place to go for holiday or coffee. In this blog post I enter the current situation.

The basic idea behind Java

Developing software that can run on different devices is not only an issue with iOS and Android. More than 20 years ago, a solution was sought that would allow software to be run on different devices and different operating systems – without the need for customization. This is possible with the object-oriented programming language Java from Sun Microsystems, which came on the market in 1995. Later, Oracle took over the company behind Java and continues to develop the language.

Java is (for the time being) not a machine code

Programs developed with Java are only compiled once and can then be used on different systems with Linux, Windows or Mac OS X. For this to work, they are not executed directly by the hardware of the computer, but by a virtual machine included, for example, in the Java Runtime Environment (JRE).

Virtual machines are generally not as efficient as programs that are developed with C or C ++, for example, and run machine code. This was particularly noticeable in the early days of Java, especially since the hardware was generally much slower compared to today.

Optimized code for the virtual machine, which also receives a just-in-time compiler remedies the issue. The just-in-time compiler generates machine code during execution, which the hardware can execute directly.

In addition to desktop computers and servers, Java can also be found on mobile devices such as PDA, TV or the set-top box and gets into other devices through the Internet of Things. An embedded Java runtime is used on computers, such as Oracle’s Java Micro Edition (Java ME), for which there is a suitable software development kit (SDK) for programming the applications.

Java and security

The promise that Java should not only be platform-independent but also secure has suffered over the years. There are security holes surfacing all the time. A look at the National Vulnerability Database (NVD) shows 51 entries for Oracle Java in 2016, 13 of which are critical. By comparison, the C ++ programming language looks much better with 6 entries and 5 critical ones. Same with .NET with 11 entries, all of which are not critical. Java is beaten for this in the statistics of PHP: The scripting language that’s popular with Web developers has a total of 442 entries in the NVD for 2016, of which 112 are classified as critical.

But we shouldn’t look at security holes in isolation. Although C stands well in the NVD, applications written in C can cause buffer overflows and therefore pose a security risk. This is because C is mainly high-performance and does not take over some of the tasks Java does automatically. C demands more from the developer in this regard. And depending on your skills, this may even create security holes in your applications. Whether they are discovered and fixed depends on the developer.

As the NVD statistic shows, bugs are noticeable in Java and are ideally resolved with the next update of the runtime environment. Because Java is a living project, it is maintained and developed further.

Be careful with the browser plug-in

There are some security issues associated with having a Java environment installed as a browser plugin. This is not a security flaw in the classical sense that results from improper programming. After all, the Java plugins are supposed to execute a Java applet in the browser that resides on a server.

However, the plugin can also execute malicious programs if you end up on a properly prepared website. For safety, you should rather disable the Java plugin in the browser or best uninstall it immediately. Incidentally, since Java version 9, Oracle also sees the Java plugin as outdated technology and as of this release, it no longer supplies it with the Java SE development environment and the Java Runtime Environment (JRE).

Software Development

In principle, if you want to develop software with Java, all you need is a text editor and the Java Development Kit (JDK), which contains tools for compiling and running your programs. The JDK includes the compiler javac for the command line, which generates a CLASS file from the Java source code of the JAVA file. The latter contains the bytecode of Java, which can be executed with the command java in a virtual machine.

Installation of the JDK is usually not necessary for Linux users. For Linux distributions such as Ubuntu or Debian, OpenJDK is preinstalled as an open source development environment for Java. Alternatively, for Linux as well as for Mac OS X and Windows, the Java Standard Edition (Java SE) development environment can be installed by Oracle, which now includes the software JavaFx for multimedia content.

After installation, the JAVA_HOME, CLASSPATH, and PATH environment, variables may need to be customized to allow the self-programmed Java classes and Java tools to be found by the system.

To document the self-created classes, the JDK brings the javadoc tool. Oracle uses it itself for the Java API documentation. It displays the information as HTML text and includes all existing classes, including those for graphical interfaces, network interfaces, certificate management, time, and encryption.

For large projects, handling the editor and the command line can be exhausting. That’s why there are more comfortable developer tools. One of the most well-known is Eclipse, in addition also NetBeans IDE, Xcode, BlueJ and RapidClipse are common. For web development, there is also the Google Web Toolkit (GWT), which translates Java code into JavaScript code and brings along an XML parser.

Paid features at Oracle

If you download Java Standard Edition (Java SE) from Oracle with the Java Development Kit (JDK), you also get paid Java functions. However, the costs are only incurred if developers use them and have to pay royalties to Oracle. This also applies to internal use.

Alternatives to Oracle

Oracle is not the only provider of Java tools. Under Linux, the Open Java Development Kit (OpenJDK) is an alternative. That code is open source and free of functions for which you would have to pay royalties to Oracle. Based on this, there is the free Zulu from Azul Systems, for which support can be purchased. In addition, IBM with J9 and Red Hat with IcedTeaoffer development environments for Java. However, a look at the terms of use can never hurt.

Conclusion

Java has been part of the software world for decades and is used for example by Minecraft and some LibreOffice functions. It is unnecessary and dangerous in the browser since it can execute malicious Java applets. You can avoid this danger by disabling or uninstalling the Java plugin for the browser. With HTML, JavaScript and CSS, alternative technologies are already available today, so developers have no reason to use Java applets.

That being said, there are no good reasons for users or developers to turn their backs on Java. The programming language has many features that are useful in development. And since the application areas of Java technology include the Internet of Things and Web development with JavaScript, Java may even be required, depending on the project and the client.

Any developer who has concerns about Oracle’s licensing policy may resort to other Java implementations such as the Open Java Development Kit (OpenJDK), J9, IcedTea or Zulu.