This was a quote from a recent conference call hosted by Oracle (details on the call are here http://www.scmagazine.com/oracle-speaks-promises-to-get-java-fixed-up/article/277898/ ) In that call, Oracles full quoted statement is The plan for Java security is really simple, its to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really cant have one without the other.
This sounds very positive, right? With Java 6 rolling into unsupported status soon, and real problems (and no emphatic fix in sight) in Java 7, this sounds like good news for folks who need Java day-to-day, in support real business functions.
Ummm - not so much for me. personal opinion follows They make it sound like this might be something they can do in a couple of weeks, and fix with a service pack or a version update. When Microsoft was in a similar situation, they shut down development completely and re-tooled their methodology. I think Oracle is in a similar situation right now, but arent coming clean like Microsoft did back in the day (2002 - it doesnt seem that long ago to me ...)
While the current round of vulnerabilties in Java can certainly be resolved in the current framework, I think that if they dont retool their Development, Test and QA methodologies to place a higher emphasis on Security in the final product, well be having this same discussion again and again.
Putting a change freeze in for new features would be another excellent thing to do. Given recent events, freezing dev for an audit and security effort is likely a really good idea. I get the impression that in the race for new features, theres a significant technical debt on the security side that is coming home to roost.
I think that Oracle, and a few others while were discussing it, need to take a close look at what Microsoft did those few short years ago, and make some big changes on how things get written and rolled out.
Again, just my opinion. Feel free to set me straight (or even agree with me) in our comment form.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.