Yet another data security organization has released an extensive study substantiating the inherent insecurity of Java. Earlier this year, the Burlington, Massachusetts-based data security firm Veracode analyzed 250 billion lines of code in an effort to assess the stability of modern digital tools and discovered that approximately 88 percent of open-source Java applications include at least one significant component vulnerability, according to an internal research report published Oct. 18. The company conducted the same penetration study in 2016 and found that 97 percent of the Java applications they scanned featured backdoors susceptible to hacking, Fortune reported.
Veracode Chief Technology Officer Chris Wysopal discussed the latest report with Info Security Magazine, imploring internal enterprise information technology personnel to carefully track their Java assets and implement patches when necessary, especially those utilizing applications with complicated user interfaces that employ significant numbers of components.
"Development teams aren't going to stop using components – nor should they, but when an exploit becomes available, time is of the essence," Wysopal told the publication. "We've now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify."
Java is the most popular enterprise coding language, according to the software quality firm TIOBE, which maintains a comprehensive code index. This means a vast majority of organizations are at risk of compromising customer or company data due to the presence of exploitable vulnerabilities in their mission-critical applications.
Understanding the problem
IT professionals are regularly reminded of the instability of Java, as the language is regularly identified as the culprit in large-scale, public data breaches. However, these technical specialists received perhaps their most impactful reminder yet in September, when hackers leveraged a long-standing vulnerability in the Java-based, web application development framework Apache Struts to extract the birth dates, home addresses, names and social security numbers of 143 million Americans from the servers at the credit reporting giant Equifax, according to ZDNet. Security specialists had actually discovered this weakness earlier in the year, when cybercriminals used it to invade numerous open-source programs. The Equifax IT team apparently neglected to patch the vulnerability and, as a result, facilitated one of the largest data breaches ever recorded, CNN reported.
"An estimated 88 percent of Java applications include serious vulnerabilities."
On Oct. 17, exactly one month after the Equifax hack, reporters at Reuters discovered that Microsoft suffered a significant breach in 2013 that went unreported. Highly-skilled hackers from an international collective called Morpho, which specializes in intellectual property theft, were apparently able to break into the internal servers where the Redmond, Washington, company tracks software bugs. How? The cybercriminals took advantage of a vulnerability hidden deep within an internal Java application. This intrusion not only damaged Microsoft's systems but also put customers at risk, as the bugs discovered in the database could easily be used to enter software products employed by billions. For example, an estimated 1.4 billion people in 140 countries use Microsoft Office, according to the software firm.
"Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," former Chief of Staff to former Secretary of Defense Ashton B. Carter Eric Rosenbach told Reuters.
Finding a solution
In the process of evaluating the applications included in the Veracode report, Wysopal and his team managed to mend more than 10.9 million flaws, many of which resided in Java applications. However, the team at Veracode found a total of 12.8 million flaws, meaning a large number of vulnerabilities remain unfixed. It is, of course, up to internal IT departments to address these backdoors and keep precious digital assets safe. Oracle recently released a list of more than 250 Java vulnerabilities with accompanying patches, Dark Reading reported. Technical specialists must obtain these patches and implement them as soon as possible to avoid an Equifax-like scenario from unfolding.