Bill is a mathematician, statistician, and Jedi Master aspirant. He works for DZone doing research and defending the office from the Dark Side. He is an avid gamer, wishes that coding exclusively in C was still a viable method of development, and prefers the color green to all others. He's been known to go entire days without speaking. His spirit animal is a platypus. Bill has posted 39 posts at DZone. You can read more from them at their website. View Full User Profile

Weekly Poll: How Safe is Java?

01.18.2013
| 16887 views |
  • submit to reddit
In the last week, the Java web plugin was found to have a security exploit severe enough to merit the US Department of Homeland Security broadcasting a security warning and instructing users to disable the popular web browsing plugin until further notice. Oracle's first hotfix of the issue, in fact, did not secure a "green light" from authorities. Concerns are only now easing, after an additional patch has been launched by Oracle.

Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, despite Oracle's track record of letting large security issues wait until their quarterly Java patch. In part due to the unusually large amount of attention this security flaw has drawn, Oracle made the decision to release an emergency patch— but is it too little, too late?

That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger generation of emerging developers. So, will this recent political snafu deter even more of the CS grads from using Java in their projects? Will it it be too much of a risk for some small or large businesses? Might it send more enterprises over to C# and the .NET realm? Let us know in this week's poll, and see the results so far instantly.
Published at DZone with permission of its author, Bill Armstrong.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Matthias Bläsing replied on Fri, 2013/01/18 - 9:30am

It should be no noted, that primarly the java-applet browser plugin is the problem. Of course problems in the sandboxing code are potential problems also in application servers, there the sandbox is not as crucial as in the plugin part. For standalone applications nothing realy changes - the cases in standalone programms I have seen the security manager been used is enforcement of rules, not real security.

Comparing Java-Applets to python/ruby is a no-go, as there is nothing similar for both languagues in the wild. For .NET/C# I asume ActiveX is the closest match to Java applets and not even our windows admins think activating activeX is a real good idea.

And regarding security - it's not as if ruby (ok with rails) has got too much good press recently.

Bill Armstrong replied on Fri, 2013/01/18 - 10:03am

Thanks for responding. I do feel that I made it clear that the latest security flaw was specifically in the Java web plugin. However, we know that when public opinion turns against a particular subject, the specifics can begin to be less important. If someone is programming in Java "server-side" and the issue is "client-side", and only then through a plugin, it shouldn't be too much of an issue to the programmer. But companies won't want to be associated with the object bearing bad press, and may migrate to a different platform entirely to dissociate from it.

This question, as a whole, is primarily concerned with Oracle and their reaction to issues, and how the computing industry will react to them. To bring up Python or Ruby is, admittedly, a little bit of an apples-to-oranges comparison, but those languages are quite growing in popularity amongst younger programmers. That demographic doesn't need much more reason to choose something other than Java, and this issue could be the tipping point for many of them.

Reza Rahman replied on Fri, 2013/01/18 - 11:06am in response to: Bill Armstrong

As the results from the survey indicate, I think the reaction in the Java community itself is quite sober, since most Java developers worth their salt know Java has had an excellent security track record for years, compared to say Windows or ActiveX (something I think responsible technologists should point out, as members of the tech press have). Programming language/industry politics aside, here is a pretty good technical analysis of the actual issue: http://timboudreau.com/blog/read/The_Java_Security_Exploit_in_(Mostly)_Plain_English.

Bill Armstrong replied on Fri, 2013/01/18 - 11:08am in response to: Reza Rahman

The blog post you linked to was actually being passed around the office earlier in the week. I was half-considering linking to it in the article, so I'm glad that you volunteered it.

Thinking about what you've said, I've decided to modify the article for clarity, so that it's clearer that Java has long been considered safe, despite Oracle's equally long track record of slow updates. In an industry where monthly (or often even more frequent) updates are the norm, 4 times a year is certainly less often than average. That the JDK continues to function using this schedule displays that it is relatively quality, even as it showcases Oracle's non-standard update schedule and (occasionally) slow reaction to threats.

Reza Rahman replied on Fri, 2013/01/18 - 12:00pm in response to: Bill Armstrong

Thanks for the clarification.

I have to say I'm not sure the remark on turnaround time for Oracle is entirely justified. The way JVM releases are handled has not changed much in years. It's pretty much the same as it had been under Sun. If anything, the JDK team acted faster as your post indicates (in three days flat). It's no secret that Oracle is very serious about security across all of it's product lines. Now, you can of course make the argument that things should change further under Oracle. In fact, to some degree they are. Take a look at Steve Harris' comments on speeding up Java releases: http://newsle.com/article/0/54769464/. You can also argue that Oracle's official press relationships is not that stellar and I would agree with you...

All views voiced are my own, not necessarily Oracle's.

Ant Kutschera replied on Wed, 2013/01/23 - 5:54am

"That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger generation of emerging developers."

Seeing as they can't create applets using Ruby or Python, this is a poorly worded paragraph.

And who writes applets anyway?  That is so 90s.

Reza Rahman replied on Thu, 2013/01/24 - 5:33pm

The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team had a conference call with worlwide JUG leaders. The recordings of the meeting is available here: http://java.net/projects/jugs/downloads/download/Jan24_JUGLeaderCall.mp3. This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

All views voiced are my own, not necessarily Oracle's.

Petission Devid replied on Tue, 2013/03/19 - 6:10am

Mineral Makeup  I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts.

Ornad Dash replied on Sun, 2013/05/05 - 4:38am

 

I wanted to say that it's nice to know that someone else also mentioned this as I had trouble finding the same info elsewhere. This was the first place that told me the answer

                  
http://arshifashion.com/

Mike Lurset replied on Fri, 2013/05/17 - 10:27am

Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, despite Oracle's track record of letting large security issues wait until their quarterly  driversedguy.tumblr.com

Mike Lurset replied on Sun, 2013/05/19 - 3:56am

. In part due to the unusually large amount of attention this security flaw has drawn, Oracle made the decision to release an emergency patch— but is it too little, too late? things to do in Las Vegas

Mike Lurset replied on Tue, 2013/05/21 - 5:15am

Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, visit mypage florence megaworld

Mike Lurset replied on Tue, 2013/05/21 - 2:52pm

Oracle's first hotfix of the issue, in fact, did not secure a "green light" from authorities. Concerns are only now easing, after an additional patch has been launched by Oracle. ātrie kredīti bez darba vietas

Mike Lurset replied on Wed, 2013/05/22 - 4:33am

That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger generation of emerging developers. Belgravia villas

Mike Lurset replied on Tue, 2013/05/28 - 6:52am

it shouldn't be too much of an issue to the programmer. But companies won't want to be associated with the object bearing bad press, and may migrate to a different platform entirely to dissociate from it. Hello Kitty Kleurplaat

Mike Lurset replied on Fri, 2013/05/31 - 2:47am

Will it it be too much of a risk for some small or large businesses? Might it send more enterprises over to C# metro last light free download

Mike Lurset replied on Sun, 2013/06/02 - 4:25pm

That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger generation of emerging developers cây tài lộc

Mike Lurset replied on Tue, 2013/06/04 - 7:27am

despite Oracle's track record of letting large security issues wait until their quarterly Java patch. In part due to the unusually large amount of attention this security flaw has drawn, Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, antieke spiegels

Mike Lurset replied on Fri, 2013/07/05 - 9:37am

despite Oracle's track record of letting large security issues wait until their quarterly Java patch. Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, burnfatandfeedmuscle.com

Mike Lurset replied on Sun, 2013/07/07 - 4:33pm

So, will this recent political snafu deter even more of the CS grads from using That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger generation of emerging developers. real estate

Mike Lurset replied on Wed, 2013/07/17 - 7:39am

Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, protection esd website

Mike Lurset replied on Wed, 2013/07/17 - 9:34am

That, it seems, is the question on many people's minds this week: how safe is Java? Java already isn't as sexy as Ruby or Python to the younger plombier ile de france website

Mike Lurset replied on Wed, 2013/07/17 - 6:57pm

Oracle's patch Sunday, January 13, 2013 was an irregular occurrence. Java has long been considered one of the safer platforms available for web content, www.healthinsurancechoices.net

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.