How Secure is Java?

According to the TIOBE.com, “Java is now almost 4.5% ahead of the rest of the pack. We have to go back to 2008 to see such a big difference between Java and the number 2 of the TIOBE index. Java version 8 is clearly a success. This is mainly thanks to the functional programming idiom in this latest version.” In addition to helping programmers to build a variety of software applications rapidly, Java 8 also comes with a number of features to protect the applications from various security threats and attacks.

Programmers always ask us: Is Java secure enough for developing enterprise applications? From the beginning, the Java platform has strong focus on security. The strong security features also contribute towards making Java the most popular programming language of 2015. So it is important for Java programmers to understand how secure is Java and how to use the security features while writing codes in Java platform.

How Secure is Java: Overview of Security Features of Java Platform

Java Virtual Machine

The programs run on Java platform in a binary form, and as intermediate bytecodes. Java Virtual Machine (JVM) checks these bytecodes thoroughly to prevent program from performing operations that are not safe. In addition to preventing the program from performing a number of unsafe operations, JVM also eliminates the chances of issues related to memory safety. JVM further completely prevents manual control over allocation or deallocation of memory, and compels programmers to use automatic garbage collection provided by the Java platform. At the same time, JVM also boost the application’s security through optimized type safety and memory safety.

Security Manager

Java platform further provides developers with an advanced security manager. The programmers can use the security manager to run the untrusted bytecodes in a sandboxed environment. Thus, the untrusted bytecodes cannot access the specific features and APIs. The developers can use the security manager to prevent the untrusted bytecodes from accessing local files, communication networks, or specific objects. At the same time, they can also use the security manager to sign the Java programs cryptographically. Thus, the Java program will run only after verifying the digital signature from a trusted entity.

A Set of Security APIs

The Java programmers also have option to use a set of security APIs provided by Java Class Library. Thus, they can easily use the appropriate security API to protect the application from specific security threats. For instance, they can use security APIs related to authentication, communication protocol, standard algorithm implementation, and public key infrastructure. The APIs allows programmers to implement both standard algorithm and security services in a flexible way. They can implement services in the providers plugged into the Java platform through a standard interface. So the Java application can easily access third-party services regardless of their implementation. The Java platform further offers a number of providers that can be used for implementing core security services.

Security Providers

The Java application developers can encapsulate the security providers using the java.security.Provider class. Thus, it becomes easier for them to specify the name of the security provider along with details of the security services implemented by it. They also have option to configure multiple security providers, and list them in order of preference. Thus, each time a security service is requested, the provider with the highest priority will implement it automatically. Java platform implement further includes a number of default providers. These providers are configured in advance to implement specific security services. The developers can use the default providers to secure their applications without putting any extra effort.

Built-in Tools for Keys, Key Stores and Certificates

Java programmers also have option to use two built-in tools to create and implement keys, certificates and key stores more effectively. They can use the keytool to create and manage key stores efficiently. Keytool has features to generate self-signed certificates, private/public key pairs, and certificates based on certification requests. Likewise, the jarsigner tool enables programmers to sign JAR files and verify signature on signed JAR files. Normally, a JAR file contains class files and other auxiliary resources related to the Java application or applets. These two tools make it easier for programmers to check and protect key aspects of the Java application.

Perform User Authentication

The developers can further authenticate users easily using APIs provided by the Java platform. These APIs help the Java application to determine the identity of a user through pluggable login modules. Each time the application calls the LoginContext class, the class refers to the configuration which describes the specific login module for use. Thus, the programmers can simply specify the login module in the configuration to perform the actual authentication. The API can be further used independently without relying on other plug-ins. So the login modules do not require modification when a new or updated plug-in is added to the Java application.

Secure Communication Protocols

While writing web applications in Java, developers have to ensure that the sensitive information of users remains secure and inaccessible during network transfer. In addition to ensuring that the sensitive data goes to the right party, they also need to ensure that the data remains intact during transmission. Java platform makes it easier for programmers to secure data transfer by providing specific APIs. The APIs help developers to implement secure communication protocols. For instance, they can use APIs for SSL and TLS protocols or Simple Authentication and Security Layer (SASL) protocol. Likewise, they can use the Generic Security Service Application Programming Interface (GSS-API) to make the application access security services uniformly over a variety of underlying security mechanism.

Access to Sensitive Resources

To make Java applications secure, programmers have to restrict access to sensitive resources and application code. Java platform enables programmers to implement a variety of access controls through the java.lang.SecurityManager class. However, the developers must install the SecurityManager as part of the Java runtime installation. After proper SecurityManager installation, the users can easily activate the access control checks. Class loader loads the Java Code onto the runtime. While loading the Java code, the class loader will automatically add relevant information to the code. The information will help the system identify where the code is loaded from, who has signed it, and if any default permission is granted to it. The users can further add additional information to the code to prevent all unauthorised access.

Oracle often stops providing security fixes for older version of Java. Oracle recently stopped providing bug fixes and security fixes to Java SE 7. So the users must switch to the most recent version of Java to avail the security features and enhancements. However, Oracle is always serious about optimizing Java security model and fixing security issues without any delay.