Thursday Aug 28, 2014

Java and Security at JavaOne

In a Java Magazine interview, Jim Manico (pictured on the right) describes his JavaOne session on security. "I will be speaking about the top coding techniques and essential tools, including several Oracle Open Web Application Security Project (OWASP), Apache, and Google open source Java projects that will help developers build low-risk, high security applications". Jim is an author and educator of developer security-awareness training. You can find more details of his session in JavaOne content catalog

His session is part of a dedicated track about Java and Security, which addresses topics ranging from security tools and coding techniques to innovative products, and includes participation from recognized security leaders discussing policies and best practices. While the value of offensive security techniques is recognized, the focus of this track is primarily on defensive measures. 

Check out all the topics in the Java and Security track 

Tuesday Aug 05, 2014

Java and Security

Is Java inherently insecure? As a Java developer, what things should you think about in terms of security? How is ECC is better RSA? Is RSA good enough security? Hear what James McGivern, a software engineer in Cisco's Cloud Web Security group, has to say about securing your Java applications.


ECC vs RSA: Battle of the Crypto-Ninjas James' slides from Devoxx UK 2014

Schneier on Security

Using the New JDK 8 Security Features: from JavaOne 2013

Oracle Security Resource Center

Oracle Java Platform Group, Product Management Blog

Security Curmudgeon Blog

A (relatively easy to understand) primer on elliptic curve cryptography

Friday May 31, 2013

Security and Java!

In a detailed blog, Nandini Ramani, Vice President of Software Development, summarizes Oracle steps to address security issues on the Java platform. Amongst the most recent changes,  she explains that "it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed". She lists the impacts of those changes and mentioned for example that "Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations."  

She also explains that "Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments). With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.”"

She added that "starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases."

Check out her original blog 

Tuesday Apr 30, 2013

Everything on the NetBeans Platform

NetBeans Principal Product Manager Geertjan Wielenga describes a myriad of software tools and applications in his blog in fields as diverse as biology, security, airport management, data analysis, data modeling, radiology, home automation, retail, and equipment safety - all of them created on the Netbeans Platform: 
  • Alphalogic, an easy to use tool with high level integration, control and monitoring for engineering systems and security systems 
  • Platypus Application Designer, a tool to develop the structure of database applications, reusable SQL queries and client/server applications
  • Sypherlink Harvester, a tool collecting metadata, database statistics, sample data and more in relational and non-relational data sources
  • Total Airport Management (TAM) 
  • Summit Management Systems, an data acquisition and floor plant monitoring tools for assembly processes
  • Integrated Service Technology, a testing and analysis solution for integrated circuits 
  • DigiMed, a radiology software for hospitals in Mexico 
  • Ksenia, a security system configuration software 
  • Vimar, a home automation management software 
  • Phyloviz, a visualization software tool for Phylogenetics
  • Delcam Crispin, a footwear CAD/CAM software 
  • Autopsy, a digital forensics platform
  • Sristy Technologies, a software solutions to analyze seismic data, drilling, completion and reservoirs for the energy sector
  • HEIDE, a multiprocessor microcontroller platform 
  • SIEUFERD, a universal user interface for relational databases 
  • Polaris Slipstream, an extensive data modeling application designed for NASA Mission visualization
  • MammoControl DIANNA, a tools analyzing and transmitting managraphy images for the German Breast Cancer Screening Program 
  • IGS-Bio, a motion capture software application
  • Klinika Medical Assistant, a EMR software used in the Philipines 
  • A series of software from Satlantic, an ocean technology company 
  • Mongkie, an integrated network visualization platform for biological data 
  • 4Vending, a vending machine management solution 
  • Piraso, an open source debugger and analyzer tool 
  • SafetyMach, a European safety requirement software 
Check his blog for details on each project. 

Tuesday Apr 16, 2013

Java SE 7 Update 21 Release and more

Oracle has released three updates to Java. It is important to note that they contain several security changes. The releases are:

Java SE 7 Update 21
This release contains new features and fixes for security vulnerabilities, including a new Server JRE, JRE Installer linked with Uninstall Applet on Windows platform, changes to Security Dialogs and more. Oracle strongly recommends that all Java SE 7 users upgrade to this release. 
Release Notes   Download

Java SE 6 Update 45
This release contains fixes for security vulnerabilities. 
Release Notes   Download

Java SE Embedded 7 Update 21
This release is based on Java Development Kit 7 Update 21 (JDK 7u21) and provides specific features and support for embedded systems. 
Release Notes   Download

Security Changes 

In addition to security fixes, Oracle has included new security features in this release. These are significant:

  • Starting with Java SE 7u21, a Server Java Runtime Environment (Server JRE) package is available for deploying Java applications on servers. The Server JRE includes the same high performance JVM that is available in the JDK and JRE packages, tools for JVM monitoring and tools commonly required for server applications.  It does not include browser integration (the Java plug-in), auto-update, nor installer. Learn more in the Release Notes.

  • Changes to Java Control Panel's Security Settings - In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider. Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run. For more information, see the Security section of the Java Control Panel documentation.

  • Changes to Security Dialogs - Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages the user sees depends upon the risk factors. Low-risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk. See the Java Source Blog IMP: Your Java Applets and Web Start Applications Should Be Signed.

    Resources that will be helpful for both developers and end-users are:
  • Changes to RMI - From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false. This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException. For more information, see RMI Enhancements in Java SE 7 documentation.

  • JDK for Linux on ARM - this release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.

Thursday Mar 28, 2013

IMP: Your Java Applets and Web Start Applications Should Be Signed

Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.

certificateThe April 16th, 2013 Critical Patch Update for Java SE (7u21) will change the launch behavior related to running Java Applets and Web Start Applications. Users will be presented with a dialog(s) that will provide additional information to the user who can choose to continue or terminate execution. For the best possible user experience, your Applets and Web Start Applications should be signed. 

What does this mean? Java SE 7u21 will introduce changes to Java browser plug-in behavior, encouraging application authors and vendors to sign code with a certificate from a trusted Certificate Authority. You, as a developer, are strongly encouraged to sign code now in preparation for this release and future releases.

For more information, read Java Applet & Web Start - Code Signing on OTN.

Tuesday Feb 19, 2013

Updates to February Critical Patch Update for Java SE

Oracle has released Updates to February 2013 Critical Patch Update for Java SE. This update contains fixes for additional security vulnerabilities. Oracle recommends that customers apply Critical Patch Updates (CPUs) as soon as possible. You can read details on the Oracle Software Security Assurance Blog.

Released today is:

Auto-update and Manual Update of JRE 6 will Replace JRE 6 with JRE 7

Since JRE 6 has reached its End of Public Updates, Oracle is taking steps to protect consumer desktops. Oracle will not leave a version of Java installed for which Oracle no longer provide security updates. 

In order to do so, when updating from JRE 6, the update mechanism will not only install the latest version of JRE 7 but will also remove the highest version of JRE 6 on the system. This change will happen when the system is updated via the auto-update mechanism or by checking for updates directly from the Java Control Panel. For more information, read the Java SE 7 Update 15 Release Notes.  

As always, consumers can get the Java Runtime Environment (JRE) from Developers can get the Java Development Kit (JDK) and the Java Runtime Environment (JRE) from the Oracle Technology Network.  

Friday Feb 01, 2013

Critical Patch Update for Java SE

Oracle just released the February 2013 Critical Patch Update for Java SE. Oracle accelerated the release of this update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers has been addressed with this Critical Patch Update. In addition to a number of security in-depth fixes, this update contains fixes for 50 security vulnerabilities. Oracle strongly recommends that customers apply CPU fixes as soon as possible. You can read details on the Oracle Software Security Assurance Blog.

Released today is:

  • Java SE 7 Update 13
  • Java SE 6 Update 39
  • JavaFX 2.2.5

Consumers can get the Java Runtime Environment (JRE) from Developers can get the Java Development Kit (JDK) from the Oracle Technology Network.  

Sunday Jan 13, 2013

Java SE 7 Update 11 Released

Oracle has released Java SE 7 Update 11, containing important security fixes. See Oracle Security Alert CVE-2013-0422 to learn more. Oracle strongly recommends that all Java SE 7 users upgrade to this release. Read the Release Notes for additional details about this release. Download Java SE 7 update 11.

A user may control, via the Java Control Panel, the level of security that will be used when running unsigned (also called "untrusted" or "sandboxed") Java apps in a browser. The user may select from five levels of security. See the "Setting the Security Level of the Java Client" documentation to see what the settings do and how users can tighten security. You can also read Henrik Stahl's blog Oracle JDK 7u10 Released with New Security Features.

Because this is an out-of schedule release remediating security vulnerabilities, going forward Oracle will increment the release number for all subsequent Java 7 releases by two numbers in order to continue having CPUs as odd numbers and limited updates as even numbers. For example, the next Java CPU release, scheduled for Feb 19, 2013, the JDK 7 release version will be renamed to Java SE 7u13.

Monday Dec 17, 2012

Java SE 7u10: Enhanced Security Features and Support for New Platforms

On December 11, 2012 Oracle released Java SE 7 Update 10 (Java SE 7u10). This release includes enhanced security features and support for new platforms.

Enhanced Security Features

The JDK 7u10 release includes the following security enhancements:

  • The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

For more information, read Henrik Stahl's blog Oracle JDK 7u10 Released with New Security and the documentation Setting the Level of Security for the Java Client.

New Supported Platforms

Java SE 7 Update 10 (Java SE 7u10) supports Windows 8 Desktop Mode1 with IE 10, and Mac OS 10.8.
 For more information, refer to the Oracle Certified System Configurations page. 

Download and Release Notes

Java SE 7u10 is available on OTN Download Page.
To learn more about the release, please see the Java SE 7u10 Release Notes.
For information about the other Java releases last week, read the Java Source blog "Java SE Updates." 

Insider News from the Java Team at Oracle!



« March 2015