Java is often associated with security vulnerabilities. Should one keep one’s fingers off this language? What speaks for the technology? Let’s give it a good look together.
Java can be regarded as the whipping boy of programming languages. Some are desperately looking to learn it, others would like to see it fail. I came into contact with the technology while I was still studying – a long time
The basic idea behind Java
Developing software that can run on different devices is not only an issue with iOS and Android. More than 20 years ago, a solution was sought that would allow
Java is (for the time being) not a machine code
Programs developed with Java are only compiled once and can then be used on different systems with Linux, Windows or Mac OS X. For this to work, they are not executed directly by the hardware of the computer, but by a virtual machine included, for example, in the Java Runtime Environment (JRE).
Virtual machines are generally not as efficient as programs that are developed with C or C ++, for example, and run machine code. This was particularly noticeable in the early days of Java, especially since the hardware was generally much slower compared to today.
Optimized code for the virtual machine, which also receives a just-in-time compiler remedies the issue. The just-in-time compiler generates machine code during execution, which the hardware can execute directly.
In addition to desktop computers and servers, Java can also be found on mobile devices such as PDA, TV or the set-top box and gets into other devices through the Internet of Things. An embedded Java runtime is used on computers, such as Oracle’s Java Micro Edition (Java ME), for which there is a suitable software development kit (SDK) for programming the applications.
Java and security
The promise that Java should not only be platform-independent but also secure has suffered over the years. There are security holes surfacing all the time. A look at the National Vulnerability Database (NVD) shows 51 entries for Oracle Java in 2016, 13 of which are critical. By comparison, the C ++ programming language looks much better with 6 entries and 5 critical ones. Same with .NET with 11 entries, all of which are not critical. Java is beaten for this in the statistics of PHP: The scripting language that’s popular with Web developers has a total of 442 entries in the NVD for 2016, of which 112 are classified as critical.
But we shouldn’t look at security holes in isolation. Although C stands well in the NVD, applications written in C can cause buffer overflows and therefore pose a security risk. This is because C is mainly high-performance and does not take over some of the tasks Java does automatically. C demands more from the developer in this regard. And depending on your skills, this may even create security holes in your applications. Whether they are discovered and fixed depends on the developer.
As the NVD statistic shows, bugs are noticeable in Java and are ideally resolved with the next update of the runtime environment. Because Java is a living project, it is maintained and developed further.
Be careful with the browser plug-in
There are some security issues associated with having a Java environment installed as a browser plugin. This is not a security flaw in the classical sense that results from improper programming. After all, the Java plugins are supposed to execute a Java applet in the browser that resides on a server.
However, the plugin can also execute malicious programs if you end up on a properly prepared website. For safety, you should rather disable the Java plugin in the browser or best uninstall it immediately. Incidentally, since Java version 9, Oracle also sees the Java plugin as outdated technology and as of this release, it no longer supplies it with the Java SE development environment and the Java Runtime Environment (JRE).
In principle, if you want to develop software with Java, all you need is a text editor and the Java Development Kit (JDK), which contains tools for compiling and running your programs. The JDK includes the compiler javac for the command line, which generates a CLASS file from the Java source code of the JAVA file. The latter contains the bytecode of Java, which can be executed with the command java in a virtual machine.
Installation of the JDK is usually not necessary for Linux users. For Linux distributions such as Ubuntu or Debian, OpenJDK is preinstalled as an open source development environment for Java. Alternatively, for Linux as well as for Mac OS X and Windows, the Java Standard Edition (Java SE) development environment can be installed by Oracle, which now includes the software
After installation, the JAVA_HOME, CLASSPATH, and PATH environment, variables may need to be customized to allow the self-programmed Java classes and Java tools to be found by the system.
To document the self-created classes, the JDK brings the javadoc tool. Oracle uses it itself for the Java API documentation. It displays the information as HTML text and includes all existing classes, including those for graphical interfaces, network interfaces, certificate management, time, and encryption.
Paid features at Oracle
If you download Java Standard Edition (Java SE) from Oracle with the Java Development Kit (JDK), you also get paid Java functions. However, the costs are only incurred if developers use them and have to pay royalties to Oracle. This also applies to internal use.
Alternatives to Oracle
Any developer who has concerns about Oracle’s licensing policy may resort to other Java implementations such as the Open Java Development Kit (OpenJDK), J9, IcedTea or Zulu.