SECTION A – SECURITY ISSUES CONCERNING JAVA APPLICATIONS
There are various types of security issues concerning java applications for an institution to look at such as legitimacy, availability, integrity, accountability and confidentiality. An application should be secure so as to not reveal or expose information to unauthorized people. This aim of this report is to provide security issues concerning java applications.
2. THREATS AFFECTING COMPUTER PROGRAMS
1. Malware: is a way to infiltrate or damage your computer. Malware:
• Deletes and alters files in the hard-drive of computers which causes it to lose all the information.
• Manipulates computers and the software on them and steals important information.
2. Viruses: are harmful programs that are sent as emails or downloads with the objective of infecting computers. Viruses can be downloaded automatically by visiting some websites. Viruses:
• Discover personal information like passwords and delete files.
• Take control of web-browsers, display unwanted adverts and send spam.
• Disable your security settings.
3. Worms (Write Once Read Many): reside in the computer memory and multiply by transmitting itself to other computers in a network within an institute or the Internet. Worms cause disorder on networks and vast amount of damage by shutting down parts of the Internet.
4. Trojan-Horses: are malicious programs that are instilled inside or camouflaged as legitimate software. They are executable files that install themselves and run automatically after they are downloaded. Trojan-Horses :
• Use computers to hack other computers and remember or log your credit card information.
• Record private personal information and delete your files and data.
3. JAVA SECURITY MODEL
Java’s security model, the sandbox model which makes software that comes from sources that aren’t trusted easier to work with. “The sandbox security model focuses on protecting users from hostile programs and reduces the necessity of becoming security experts. The model provides a very restricted environment in which to run untrusted code or software and its advantage is that you don’t need to figure out what code you can and can’t trust. The sandbox itself prevents any viruses or other malicious code from doing any damage to your computer.” (Hashemi, 2010)
An extremely limited environment is provided by the sandbox model to run untrusted code acquired from open networks. Local code is allowed full access to important system resources by the sandbox model while downloaded remote code (applets) is allowed access to limited resources inside the sandbox because it is not trusted. The figure below shows the sandbox model.
4. SECURITY CHALLENGES FACING JAVA PROGRAMMERS
a) “System Information Leak Vulnerability – refers to revealing critical system data, program structure including call stack or debugging information that may help an adversary to learn about the software and the system, and form a plan of attack.” (Meghanathan, 2013)
b) “Unreleased Resource Vulnerability- occurs if the program has been coded in such a way that it can potentially fail to release a system resource.” (Wyk, 2003)
c) Angler Exploit- doesn’t use any files so it can’t be found by old security programs. Without any files, it doesn’t leave traces so we cannot know if we’ve been compromised.
d) Limited testing- programmers have to test on different devices because it is important to guarantee that security-related performance meets expectations. When applications are tested on only three or four devices, it is not surprising when applications do not run or execute correctly on other devices.
5. APPLICATIONS SECURITY BEST PRACTICES
1. Implementing solutions for vulnerabilities instead of flaws.
2. Encrypting all programs and using anti-malware or anti-virus to secure applications and files.
3. Breach detection using tools like: intrusion prevention (IPS), intrusion detection (IDS) or next generation firewalls (NGFWs) that monitors breaches.
4. Implementation of validation and authentication solutions.
6. WHY JAVA APPLICATIONS ARE SECURE
a) Access Control functionality- prevents access to objects found in untrusted code which provides secure programs and allows users to use the application.
b) Reusing Tested Code- allows the developers of the programs to reuse tested code that was used to develop Java applications.
c) Garbage collection mechanism- is used to identify and remove objects that are no longer needed by a program.
d) Protection from security attacks- by declaring methods and classes as constants (FINAL). Developers help to protect code from security attacks by declaring classes and methods as Constants (final) so that they cannot be overridden.
Java is a necessary application for many people because it has built-in security, is open source, and the codes can be reused. Mistakes discovered in Java applications are either because of mistakes in the application or implementation errors and not inside the Java Security Model. Moving towards an open source would be one of fairly good solutions to some problems because after writing a Java program or application, developers are free to license their programs or applications however they want, and the developers can decide not to distribute their source code.
8. RECOMMENDATIONS TO MANAGEMENT
I think that the Java application should be deployed because security is not an issue as many precautions can be taken against threats by built-in security, other anti-threat software, hired professionals and security companies. Precautions can be placed or taken by using software to protect the application, deploying network security solutions and monitoring the processes in a computer.
Hashemi, M. S. (2010). Security Issues of the Sandbox inside Java Virtual Machine (JVM) . 53.
Meghanathan, N. (2013). SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRAMS: A CASE STUDY.
Wyk, M. G. (2003). Secure Coding: Principles and Practices .