Java's recent security woes are not scaring off developers, who don't see Java as any more vulnerable than any other platform. "There's nothing fundamentally wrong with Java," says Gonzalo Diethelm, in charge of architecture and development at the Chilean central security depository, DCV.
He is not planning to abandon Java in response to security concerns. Such suggestions are "just creating bluster," concurs Shaun Woodrow, director at the Corporate Action Company business software firm. Other developers at the JavaOne technical conference in San Francisco this week also remain confident in Java, which has had several security problems discovered lately, including the Flashback Trojan that affected more than 600,000 Macs and a weakness found in the platform's sandbox security mechanism.
[ Also at JavaOne, Oracle officials pitched upcoming Java upgrades, even as these have had important features postponed. | Think you know Java? Test your programming smarts in InfoWorld's Java IQ test. | Subscribe to InfoWorld's Enterprise Java newsletter for more Java news. ]
Not all security issues applicableSome developers noted that Java applet security has been a particular problem but these issues weren't applicable at many user sites. For example, the recent sandbox security problem was an applet issue, but most Java deployments are server side these days, says Richard Warburton, a Java developer with jClarity, an application performance monitoring startup. "[The sandbox issue] isn't actually something that affects most people." A lot of corporate environments already have disabled applet capabilities in the browser, he says.
Par Siko, a developer at the Jayway consulting firm, adds, "Java is really big on the server side, and I don't think security's a big issue on the server side."
At Barclays Bank, security testing is done to make sure systems are safe. "We have constant penetration testing and security testing. We bring in third-party companies to perform that for us," says Gareth Nolan, a technical architect at Barclays.
A developer at Sandia National Laboratories pointed out his systems are isolated from intruders anyway. "I'm not terribly familiar with [Java's recent] security issues, but I tend to develop for ether stand-alone or things that reside on small, unconnected local area networks," says technical staff member Benjamin Lawry.
Vigilance still advisedAlthough developers are not sweating over the security problems (Siko, for example, says his company will increase its use of Java), they nonetheless see the need for users and Oracle to be vigilant." Security is going to be an issue no matter what," says Woodrow. "People are going to have to focus and tighten up a little more anyway. [But] I wouldn't say [security] was an issue specifically for Java."
Siko stresses the importance of bug and security fixes, noting, "Fixing the security issues quickly, that's important, and I'm not sure if [Oracle] has done such a good job there."
The issue of Java security came up during an Oracle press conference at JavaOne on Wednesday, with Oracle officials emphasizing security as a priority. "In general, we've been investing in Java all over the board and security is one of those areas," says Georges Saab, vice president of development for Java Platform, Standard Edition (Java SE) at Oracle.
