Last Updated: 2013-01-29 21:24:59 UTC
by Rob VandenBrink (Version: 1)
This was a quote from a recent conference call hosted by Oracle (details on the call are here http://www.scmagazine.com/oracle-speaks-promises-to-get-java-fixed-up/article/277898/ ) In that call, Oracle's full quoted statement is “The plan for Java security is really simple, it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”
This sounds very positive, right? With Java 6 rolling into "unsupported" status soon, and real problems (and no emphatic fix in sight) in Java 7, this sounds like good news for folks who need Java day-to-day, in support real business functions.
Ummm - not so much for me. <personal opinion follows> They make it sound like this might be something they can do in a couple of weeks, and fix with a service pack or a version update. When Microsoft was in a similar situation, they shut down development completely and re-tooled their methodology. I think Oracle is in a similar situation right now, but aren't coming clean like Microsoft did back in the day (2002 - it doesn't seem that long ago to me ...)
While the current round of vulnerabilties in Java can certainly be resolved in the current framework, I think that if they don't retool their Development, Test and QA methodologies to place a higher emphasis on Security in the final product, we'll be having this same discussion again and again.
Putting a change freeze in for new features would be another excellent thing to do. Given recent events, freezing dev for an audit and security effort is likely a really good idea. I get the impression that in the race for new features, there's a significant "technical debt" on the security side that is coming home to roost.
I think that Oracle, and a few others while we're discussing it, need to take a close look at what Microsoft did those few short years ago, and make some big changes on how things get written and rolled out.
Again, just my opinion. Feel free to set me straight (or even agree with me) in our comment form.