Just patch Java? Easier said than done

Legacy investment makes patching the Java security threat risky business

Every company whose security I've audited has a Java problem -- an ongoing one that long predates the current threat.

Java provides a convenient attack vector for most of the malware arriving in companies -- not just the annoying stuff, but advanced persistent threats, money stealers, and more. Despite the intricate nature of the recently discovered flaw, simply keeping Java patches up to date (including the latest Oracle patch) would vastly decrease the risk.

[ Also on InfoWorld: Java security comes down to 'war of attrition.' | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

So why, in literally every company I've audited, does Java remain so badly patched?

Mainly, it's the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can't patch Java in a more timely manner because doing so breaks too many vital applications.

In other words, this dependency is not just an excuse -- it's not the same as, say, neglecting to keep your Windows Server patches up to date. Patching Java presents an operational risk because it has a better chance than nearly any other patching operation of breaking applications. For every patch, you may well need to commit serious resources to testing.

No wonder, then, that the IT people involved complain about how they are powerless to do anything -- how their very jobs would be at risk if they caused the predicted operational interruption. I understand their frustration, but not their powerlessness.

I wonder what would happen if IT told the CIO, the CEO, the board of directors, that "Hey, we recognize our No. 1 problem, and it's been the No. 1 problem for years, but we're throwing our hands up and not doing anything about it." I wonder how senior management would respond?

If you are tired of unpatched Java being a continuing unresolved problem, if you are tired of business units always pushing back saying you can't upgrade Java because it will break their apps, don't politely ask them anymore. Instead, create a whitepaper for your company. Show them how unpatched Java is wrecking havoc across the enterprise. Show them how Java is the No. 1 problem and causing the most risk.

Then present the challenges. Then present the solutions. Then send this paper to your boss and hopefully up the chain of command until it reaches and gets approved by the CIO.

You can't fix the problem, because of the potential operational issues, until you have the seal of approval from senior management. So get on with it! Get senior management involved.

I can't think of a C-level officer, when shown his company's No. 1 problem in a particular area, who won't feel a fiduciary duty to commit the resources to allow his people to solve that problem. Not doing so would put that officer at risk to his own bosses.

In most companies senior management has no idea that Java is their No. 1 problem. I'll go further: In most companies, most of the IT security staff doesn't understand that Java is their No. 1 problem. How can you expect to solve your problems if the senior managers involved and the worker bees don't understand the risks and threats?

That's the silver lining behind this latest and most serious threat: No one can ignore the problem anymore. Responsible companies are going to need to carve out the resources to address it.

This story, "Just patch Java? Easier said than done," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

This story, "Just patch Java? Easier said than done" was originally published by InfoWorld .

Join the discussion
Be the first to comment on this article. Our Commenting Policies
See more