A May 30 post on Oracle’s Software Security Assurance blog reviews Oracle’s plans to improve Java’s security.
Step 1 was apparently making sure that Java conforms to Oracle’s software security policies. Without knowing the details, I can only wonder whether the new policies are better or worse than whatever policies were already in place for Java, and whether they are even a good fit for a project like Java. Is it possible that this transition contributed to the recent spate of problems?
Step 2 is to throw more money at Java. Oracle describes this as “increasing investments in Java overall by Oracle”.
Oracle has been working on improving their response time to critical vulnerabilities, which is commendable. They are gradually coming to realize that scheduled releases just don’t cut it for security issues. These days, vulnerability and exploit details propagate almost instantly, and waiting weeks or months for fixes is unacceptable.
Apparently the use of automated security testing tools has been expanded. Presumably from ‘not used consistently or even at all’ to ‘used on a sensible schedule’.
The article goes into a lot of detail about the general security improvements made in recent Java updates. Good stuff, but not news.
On a positive (and actually news-worthy) note, Oracle is working on further separating Java as it runs in web browsers from Java used in server environments. This and other changes will make distribution and administration a lot easier for IT folks. Server Java will also be hardened in ways that are not practical for web-based Java.
So, not much to see here, although it seems clear that Oracle knows that Java security is a serious problem and is at least making an effort to fix it.