What is security debt?
“Technical debt,” a metaphor coined by agile programming pioneer Ward Cunningham, describes the deficit created by unsolved issues during initial software development. If this “debt” is not paid off by improving the code, it eventually becomes a large burden and potential obstacle to progress with the program.
An aspect of technical debt that’s receiving increasing attention is security debt. Security debt refers to a build-up of vulnerabilities that go unaddressed during development, generally through lack of sufficient security planning in the Software Development Life Cycle (SDLC). While it may save development time initially, the security debt must be paid back at some point. And, as the debt burden continues to accumulate, it becomes even more difficult to protect programs and data.
With security debt, the future cost is not just the price of development work or delays but the risk of security breaches, losing consumer trust, and regulatory fines.
Why is Java code security an issue?
Invented by a team at Sun Microsystems in the early 1990s, Java’s unique cross platform portability made it the programming language of choice for developers. It remains one of the world’s most popular coding languages, with most Android apps built on Java as well as innumerable desktop and server applications. Most enterprises use at least one Java-built application, often as a business-critical asset.
Java provides many advantages for software developers and vendors—it’s a high-level language with a simple syntax, its object-oriented structure makes it easy to create modular programs and reusable code, and Java applications are highly portable and run virtually everywhere. Considerable problems exist, however, with Java code security. While the Java development platform itself contains many security features, coding always carries the risk of introducing vulnerabilities. The ubiquity and popularity of Java applications means many opportunities to introduce security flaws. It also means that Java code security receives more scrutiny than other languages from attackers searching for ways to breach application defenses.
Open source libraries are one major area of weakness in Java code security. Most Java applications include dozens of library dependencies. In fact, a recent report by Veracode found that third-party code makes up 97% of a typical Java application. Since many of these libraries contain known vulnerabilities and issues, security problems tend to proliferate among vendors and apps.
How attackers exploit Java code security flaws
The popularity of Java components and the profusion of flaws means that nearly 90% of Java applications are vulnerable to attack. Java code vulnerabilities have been involved in some of the biggest data breaches, such as the Equifax breach which lost the records of 143 million Americans. Other examples of attacks that can be traced to Java code security weaknesses include:
- ApacheStruts2: Similar to the Equifax breach, this vulnerability in a Java web application framework put thousands of apps at risk.
- Using Java to bypass antivirus software: By writing malware in Java, attackers can bypass deployed antivirus protections to launch a variety of attacks.
- Bouncy Castle: A vulnerability in a widely used Java cryptographic library made it easier to brute force passwords hashed with Bcrypt.
- Supply chain attacks: Open-source components are popular for speeding up the development process, with 1.5 trillion download requests in 2020. Unfortunately, 10% of all Java open-source components contain vulnerabilities.
- PonyFinal: A ransomware attack that exploits flaws in the Java Runtime Environment to execute its attacks.
Intertrust improves Java code security
Many organizations lack the resources to pay down the Java code security debt their applications hold —or even keep up with the interest. This especially holds true for legacy software where it quickly becomes infeasible to address even just the critical vulnerabilities. Often such applications are foundational to a company’s core business, so cannot be easily removed from the tech stack, yet they represent a major source of risk.
Code vulnerabilities can be exploited to steal confidential data, misuse system resources, interfere with operation, as a launching point for further attacks, and other malicious activities. Given that it’s impossible to eliminate every vulnerability and design flaw, it’s critical to shield your Java applications from attack.
Intertrust’s in-app protection solution, whiteCryption Code Protection, supports all Java applications including those running on Android, Linux, Windows, and other traditional platforms. Code Protection embeds multiple layered defense mechanisms within your software to mitigate the risks from Java code security flaws, including:
- Tamper resistance: Anti-tampering protections, such as overlapping checksum checkers which constantly check an app’s integrity to make sure its code hasn’t been changed.
- Debugging protection: Our debugging protection allows apps to recognize when they are being run through a debugger so they can take defensive actions.
- Analysis prevention: A number of defense strategies can be deployed to frustrate attempts to reverse engineer an application’s code, including advanced code obfuscation and environmental checks.
- Binary packing: In this strategy, an application’s code is only decrypted at runtime, meaning hackers can’t perform static analysis on it.
- Customizable defense responses: When an attack attempt is recognized, you can program the app to take specific defensive actions, such as blocking account access, stopping command execution, or data deletion, to suit the level of threat.
Whether you’re at the development stage or retroactively addressing your Java code security debt, whiteCryption easily integrates into your current build processes without adding to development time.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.