Home Oracle Adds More Jolt To Java Security Procedures

Oracle Adds More Jolt To Java Security Procedures

Oracle is still trying to get its Java house in order with some new policy changes to the application development platform that will hopefully lock down the ever-present security vulnerabilities plaguing Java.

In a blog post late last week, Nandini Ramani, head of the software development team that builds the Java platform, acknowledged the problems that have affected Java running in Web browsers and outlined three significant steps her company would be taking to get Java’s security headaches managed.

(See also: Java Is No Longer Needed. Pull The Plug-In)

The most significant outward change will be the addition of another scheduled update every year for Java, ramping up the number of scheduled updates from the current three per year to four per year. The new update has already happened for 2013, when the Critical Patch Update for Java SE happened in April.

Beginning with the October 2013 scheduled update, the Java update schedule will align with the quarterly Oracle Critical Patch Update program that’s already in place for every other Oracle product, Ramani explained.

“Obviously, Oracle will retain the ability to issue emergency ‘out of band’ security fixes through the Security Alert program,” she added.

Another change to the Java platform has been alterations to the browser trust/privileges model, which, upon the release of JDK 7 Update 21 back in April, included changes to the default security settings to “discourage the execution of unsigned or self-signed applets,” Ramani outlined.

In addition, Oracle is planning to increase its investment in the Java organization so the team will have “the ability to more quickly respond to reports of 0-days and other particularly severe vulnerabilities.”

Ramani’s blog entry does a good job outlining the myriad of plans designed to get Java’s security problems under control. What is stunning, though, about these changes is that they took this long to get implemented. Ramani herself raised the issue:

Whenever Oracle makes an acquisition, acquired product lines are required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance. As a result, for example, the Java development organization had to adopt Oracle’s Security Fixing Policies, which among other things mandate that issues must be resolved in priority order and addressed within a certain period of time.

This is all well and good, but given that Oracle started the process of acquiring Sun Microsystems in the spring of 2009 and completed the acquisition 42 months ago in January 2010, that’s a long time to get Java’s security policies aligned with Oracle’s.

It is not clear what the cause of the delay was, but given the widespread use of Java, the platform is probably one of the most – if not the most – important technology Oracle picked up with Sun. It would be nice if they could actually start treating it with the priority it deserves.

Image courtesy of Shutterstock.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.