Scott Sellers, co-founder and CEO at Azul
Hunting and fixing Java vulnerabilities can leave development and security teams feeling like they’re playing the world’s largest game of “Whac-a-Mole,” complete with moving targets and constant alerts. It can be exhausting, quite frankly, and the expended time and effort can turn a normal activity into an entrenched problem.
The battle is certainly not getting any easier for organizations. First, there’s the sheer number of reported flaws – of the 23,000 vulnerabilities disclosed in 2023, about 10% of them affected Java applications.
Adding to the complexity is that while the vast ecosystem of Java-based libraries, frameworks, and tools are often open-source, a clear strength of the Java platform, they also have a wider “blast radius” when attacked.
That’s what happened in 2021 with Log4j, widely considered one of the most critical zero-day vulnerabilities ever. Nearly 80% of businesses reported having been impacted, with about half affected indirectly by the extra time required of their development teams. But even though development and security teams spent hundreds (if not thousands or more) of hours hunting down vulnerable versions of Log4j, a recent report found that more than a third of Java applications still use vulnerable versions.
On the one hand, identifying and responding to dangerous flaws in a time-efficient manner should be a top priority for CIOs. On the other hand, how is that possible, given limited DevOps team bandwidth and the distracting problem that security scanning tools are still so noisy that many groups tune them out? The good news is that there are some concrete steps CIOs can take to fortify application security across their entire Java estate more efficiently:
- Monitor production stacks. Consistently monitor your software in production to ensure you are not running vulnerable code. Running vulnerability scanners and Software Composition Analysis (SCA) in the development and build phases is not sufficient to ensure all first- and third-party code is secure. Patching vulnerabilities found in production and upgrading to the latest secure versions of third-party components should be an ongoing priority. Implement processes to verify and update authenticity while enabling alerts from sanctioned maintainers.
- Conquer alert fatigue. The majority of respondents in the Orca Security Cloud Security Alert Fatigue Report said they use no less than five or more public cloud security tools. Multiple siloed tools tend to report on the same issues, dramatically increasing the number of false positives. Java engineers are left wondering, “If the tools always say so much is vulnerable, why should we bother?” Often, developers and security personnel spend hours on calls with security vendors and ISVs discussing a vulnerability, only to later learn the flagged vulnerability is never actually run — a terrible drain on productivity. The Orca Security study also found that the overwhelming number of alerts is highly disruptive for teams, careers, and business outcomes — 62% said alert fatigue has contributed to turnover, and 60% said alert fatigue created internal friction.
- Think of an improvement to Java as an improvement to operations. Today’s businesses are under pressure to innovate, accelerate time to market, and ensure application security while being asked to do more with less. Improving the speed and security of Java applications has a direct impact on operations. Companies in the top quartile of McKinsey’s Developer Velocity Index (DVI) delivered 60% higher total shareholder returns and maintained 20% higher operating margins than bottom-quartile companies. They also grew 4-5x times faster and scored 55% higher on innovation.
The Java ecosystem remains one of the most vibrant and widely used platforms for building enterprise applications. Staying ahead of Java vulnerabilities requires a comprehensive strategy that combines proactive monitoring, intelligent alert prioritization, and an understanding that secure, high-performing Java applications are essential for operational excellence. CIOs who make it a priority will be well-positioned to outpace competitors while delivering the modern, secure applications that power their digital business initiatives.
Learn how Azul can help your organization run Java securely.
