Oracle Promises Enterprise Java Security Tweaks

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/security/application-security/oracle-promises-enterprise-java-security/240155912

By Mathew J. Schwartz
InformationWeek.com
June 03, 2013

Java security memo to enterprise IT managers: Better distributed client 
control capabilities, locked down Java servers and certificate-based 
controls are coming.

Those three upcoming Java security changes were outlined in "Maintaining 
the security-worthiness of Java is Oracle's priority," a Thursday blog 
post from Nandini Ramani, who heads Oracle's Java software development 
team and is responsible for Java security.

Already, Ramani said Oracle's Java developers have been practicing 
better secure development practices, including using more automated 
security testing tools, using better source code analysis tools, as well 
as hammering code with homegrown analysis tools designed to eliminate 
vulnerabilities that might be targeted using code-fuzzing techniques. He 
also noted that Oracle has refocused resources to help release Java 
security updates more quickly.

Veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based 
Security Explorations, confirmed via email that Oracle has been 
responding to bug reports in just days -- instead of the weeks it used 
to take. Gowdiak also rated Oracle's Java patching speed as "slightly 
improved," saying that after Oracle receives a vulnerability report, 
it's been issuing a fix about two months later.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org