Java Security Resource Center
Developers creating secure applications with Java should familiarize themselves with the following resources:
System Administrators are responsible for running Java applications in a secure manner, following principle of least privilege, and staying up to date with Java’s secure baseline (either for standard Java SE or the Server JRE).
End Users running Java on their computers only need a few steps to verify and understand Java security on their devices:
Security Professionals performing system auditing, threat modeling, architecture, or code reviews of Java applications should familiarize themselves with Java’s security architecture and API documentation.