Check out this news story that broke earlier in the week: Java flaws are “increasingly targeted by attackers”. This story was filed by IDG News Service from the Black Hat USA 2012 conference, and it points at a trend we’ve also noticed. The world is waking up to the fact that Java is an attractive target. Java applications run the world’s largest organizations (from banks to governments). Where there is Java, there is usually a system worth hacking into. Security professionals are taking note.
During our initial testing of Insight Application Health Check we found that real-world applications at large enterprise contained an average of 32 publicly known security vulnerabilities. Some of these security vulnerabilities were 3s and 4s on the 10 point CVSS scale, but many were 9s and 10s. These are bugs that are easily exploitable over the network which can be used to take ownership of applications and data.
So, think about it. If you develop Java applications, you’ve been relatively isolated from security concerns for years. Java has never been the top attack vector of hackers, and, because of this, developers have never really had to think about scanning artifacts for security issues. It looks like this is changing, and if you want to do something about it, it’s easy. Just run a free summary scan of your application with Insight App Health Check.
Here’s the IDG story, enjoy:
IDG News Service – (International) Java flaws increasingly targeted by attackers, researchers say. Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle does not do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference. Several years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader. However, many current Web exploit toolkits rely heavily on Java exploits, said a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research division.