In light of the recent security/data breaches that have been seen in the market of late, I thought it might be interesting to explore the various security aspects of Java.
As I’m not technical myself, this isn’t an opinion piece on whether one of Java’s strengths is Security, it’s more of an exploration of how Java and Security are tied together as well as tips on how you can ensure your java code is as secure as possible.
After sorting through a lot of technical jargon, I felt I was still able to gather some interesting takeaways from my research, and I hope you enjoy those takeaways as you read this.
How Secure is Java?
Although it’s not known for its security features per se, it’s undeniable that the Java development platform has many inbuilt security features. I stumbled cross the Java Security package during my reading (you can view it yourself here - https://docs.oracle.com/javase/8/docs/api/ - not that understood much of it) and found it to have undergone extensive testing, it also seems that it is frequently updated to appeal any new security vulnerabilities.
The JDK is designed with an emphasis on security, the language itself is ‘type-safe’, it provides automatic garbage collection, it has secure class loading and verification mechanisms, and the Java security architecture includes a large set of API’s, tools, and implementations of commonly-used security algorithms, mechanisms, and protocols.
The JDK also includes a number of providers that implement a core set of security services. It also allows for additional custom providers to be installed. This enables developers to extend the platform with new security mechanisms.
I’d say based off my research that on average, industry professionals tend to think of Java as “secure”, mainly due to the very small number of vulnerabilities that have been identified, especially for such a widely used language.
However, I also came across research conducted in 2019 from WhiteSource -
Many of the security holes that have been found in Java are the result of its popularity. The more widely used a language is the more likely it is that thousands of bug hunters are dedicated to finding that languages vulnerabilities. This means that Java is likely to come across as less secure, purely due to its popularity, as it’s a larger target for hackers.
Likewise, the implied security of some newer languages, like Ruby, could reflect their niche usage more than their integrity. These findings could also be due to the fact that Java and C are much older languages that were convinced in a completely different time where cyber security didn’t have quite the emphasis that it does in today’s day & age.
Java is secure due to the following reasons:
Java programs run inside a virtual machine which is known as a sandbox.
Java is moving towards eliminating explicit pointers.
Byte-code verifier checks the code fragments for illegal code that can violate access right to object.
Java security packages implement explicit security.
Java provides library level safety.
Run-time security checks takes place when the user load new code.
Java Security features
Here are some of the features that make Java more secure:
JVM – The Java virtual machine verifies the byte-code and provides assurance that there’s no unsafe operations being executed.
Security API's - Cryptographic algorithms and authentication protocols are incorporated into these API’s helping to facilitate secure communication.
Byte code - These are class files generated when the user compiles the java program, they are tested by the JVM for viruses and malicious files.
Security Manager - This checks the permissions and properties of the classes, ensuring that there is monitoring of the system resources.
Auto Memory Management - This is garbage collection - the JVM manages memory itself minimising the chances of any faults here.
No Concept of Pointers - This stops vulnerability as the use of pointers can sometimes lead to unauthorised read or write operations.
Compile-time Checking - This will flag errors in scenarios where an unauthorised method is trying to access the private variable.
Cryptographic Security – This provides secure communication in the presence of malicious third-parties, otherwise known as adversaries. Encryption uses an algorithm and a key to transform an input into an encrypted output.
Java Sandbox - This is used to provide security for downloading Java applets from the Web.
Exception Handling - Handling is the process of responding to the occurrence of exceptions – anomalous or exceptional conditions requiring special processing – during the execution of a program.
ClassLoader - This is a part of the Java Runtime Environment that dynamically loads Java classes into the Java Virtual Machine.
Best practices for secure Java code
In order to ensure that your code (whether it be in java or otherwise) is not vulnerable to malicious attacks, every developer should follow the following coding standard and best practices to develop their code as securely as possible:
When basing code off of public libraries - only use tried and tested ones.
Avoid Serialisation - Oracle has actually announced a long-term plan to remove serialisation completely.
Always hash user passwords - do not store them as plain text.
Filter sensitive information from exceptions.
Do not log sensitive information.
Be careful not to reveal sensitive information in user Error messages - keep them generic.
Prevent injection attacks - be wary of SQL statements and dynamic SQL etc.
Write your code as cleanly and simply as possible.
In summary, Java is certainly a secure programming language but there is always room for improvement, I’m sure that we will see very interesting updates from Oracle in the coming years as security becomes a bigger and bigger priority for us all. However, for now, if you keep security front of mind whilst programming with Java, keep an eye out for vulnerabilities and take advantage of Java’s security API libraries, I’m sure you’ll be mitigating the risk of malicious attacks quite efficiently. I’m not going to lie, writing this article was a real challenge as a non-technical person, having to wade through lots of technical jargon that I don’t understand. So, if you have any extra insights that you feel will be able to help me understand java concepts and security better, please feel free to connect with me on linked in and message me for a chat or email me at firstname.lastname@example.org.