AppSec California 2015

Java is one of the longest standing and most widely deployed enterprise programming languages in the world. It is also frequently attacked due to its numerous and well documented security vulnerabilities, many of which have a very high CVSS (Common Vulnerability Scoring System).

This problem is amplified by the fact that countless data center applications are still running on older, legacy versions of the platform. Although the original promise of Java was application portability, in reality most core enterprise applications were written for execution on a specific version of Java, and that’s where they’ve stayed.

This session will discuss the two primary reasons that legacy Java security risks persist, namely the cost of mitigation and operational impacts. The obvious way to deal with legacy Java issues is to update the Java runtime. But this process is costly since it requires extensive application modifications, testing and re-qualification. Meanwhile, the risk of downtime is an even bigger problem. No matter how much testing is done, it’s impossible to guarantee that changes to the application will not break it.

Using several documented Java server vulnerabilities, the speaker will explain and evaluate the merits of the current approaches to addressing them, including network based tools, code analysis and run-time application self-protection. Attendees will gain a deeper understanding of legacy Java security risks, the alternatives available to address them and how to choose the right approach for their particular application environment.