7 steps to securing Java

Warnings from Homeland Security should prompt security pros to harden enterprise nets against Java-based exploits

Java, the popular OS-independent platform and programming language, runs on just about every kind of electronic device imaginable, including computers, cell phones, printers, TVs, DVDs, home security systems, automated teller machines, navigation systems, games and medical devices.

In response to successful Java-based exploits against companies like Twitter, Facebook, Apple and Microsoft, and continued concern over “zero-day” security flaws that could allow an attacker to remotely execute malicious code that could compromise vulnerable systems., the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) has issued multiple security advisories concerning Java.

In the advisories issued to date, DHS recommends disabling Java in web browsers. In response, Oracle, which took over Java when it bought Sun, has released a number of patches, some out-of-band (earlier than scheduled), and in a recent patch made changes to how Java applets are handled within web browsers.  

In general, warnings potential security threats are nothing new and most network security managers consider them to be part of the daily IT landscape. The usual solution is to patch systems with vendor-supplied updates and follow vendor recommendations for best practices. However in this case, the advice to disable or uninstall the product, issued not by the vendor, but instead by governmental authorities and other third parties, creates an unusual set of challenges for organizations.

So, here are seven steps you can take to protect your network against Java-based exploits. Given its ubiquity, completely removing Java is probably out of the question for most organizations. But here’s a seven-step action plan that won’t necessarily guarantee security, but will help mitigate threats by creating awareness, hardening systems and reducing attack vectors.

1.  Perform an impact analysis

To continue reading this article register now

The 10 most powerful companies in enterprise networking 2022