Java Security Resource Center

What's New

Security for developers

Developers creating secure applications with Java should familiarize themselves with the following resources:

• See the Java 8 Security Highlights for a summary of security changes between Java 7 and Java 8.
• Integrate JDK 8's new Type Annotations into your program to identify, prevent, and help fix errors:
  • View an introductory video about the role of Type Annotations: Enhanced Metadata - Annotations and Access to Parameter Names.
  • Read an article about Type Annotations in Java 8: Tools and Opportunities.
  • Download and start using the Checker Framework.
• Secure Coding Guidelines – learn defensive coding strategies to properly mitigate weaknesses in software and prevent vulnerabilities.
  • Oracle Secure Coding Guidelines - Updated for Java 8
• Security enhancements in JDK 8 include many new cryptographic algorithms, improved randomization, and protocol updates.
• For Applet & Web Start applications, view the RIA security checklist and understand the expanding role of code signatures for authenticating your identity to end-users.
  • 7u51 provides an Exception Site List for already-shipped applications that cannot be updated per the RIA security checklist.
• Java SE Security Overview — lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).
• Names of cryptographic algorithms available within the Java Cryptographic Architecture.
• For a better understanding of Java security or to get involved in the community, look at the OpenJDK Security Group.
• For other periodic information, please access the Oracle Java Product Management blog and subscribe via RSS readers.

Java Management Service

The Java Management Service (JMS) is a reporting and management service within the Oracle Cloud Infrastructure Platform. JMS is a native Oracle Cloud Infrastructure (OCI) service that monitors Java deployments on OCI instances and instances running in customer data centers. JMS enables system administrators to use the Oracle Cloud to observe and manage the use of Java in their enterprise. See Java Management in Oracle Cloud Infrastructure Documentation for detailed information about JMS.

Advanced Management Console

The Advanced Management Console (AMC) enables system administrators to manage Java version compatibility and security updates for desktops within their enterprise and for ISVs with Java-based applications and solutions. AMC decreases the attack surface of older Java versions by limiting their exposure and maintaining compatibility with known-safe applications. See Advanced Management Console for detailed information about AMC.

Security for System Administrators

System Administrators are responsible for running Java applications in a secure manner, following principle of least privilege, and staying up to date with Java’s secure baseline (either for standard Java SE or the Server JRE).

• Apply the Critical Patch of Java 8u31 or 7u75 to disable SSLv3 POODLE by default, or disable SSLv3 in older versions.
• Evaluate the Advanced Management Console to secure needed older versions by tracking usage, decreasing the attack surface, and maintaining compatibility.
• See the Java 8 Security Highlights for a summary of security changes between Java 7 and Java 8.
• Control TLS compatibility on servers and clients to choose the most secure/compatible combinations.
• Security enhancements in JDK 8 include many new cryptographic algorithms, improved randomization, and protocol updates.
• Stay up to date:
  • Receive email notification of Critical Patch Updates
  • Critical Patch Update general information page
• If required, manage multiple Java versions on client systems through static installations and use Deployment Rule Sets for old-version compatibility.
• Whitelist Applet & WebStart applications across managed computers through Deployment Rule Sets.
• Consider using the Server JRE for server systems, such as application servers or other long-running back-end processes. The Server JRE is the same as the regular JRE except that the Server JRE does not contain the web-browser plugins.
  • Consider upgrading to Unlimited Strength Cryptography for sensitive information.
• Use trusted timestamping when signing and verifying signed JAR files to prevent your artifacts from expiring early.
• Java SE Security Overview – lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).

Security for END Users

End Users running Java on their computers only need a few steps to verify and understand Java security on their devices:

• Use the Exception Site List to run specific RIAs, while they are being updated to meet newer security requirements.
• Always use the latest version of Java on your computer.
  • Java will periodically prompt you to update when it detects that there is a new version.
  • Remove old versions of Java from your computer.
• Only download Java from the following websites:
  • Java.com (most users).
  • Advanced users may download from the Oracle Technology Network.
• If needed, disconnect Java from your web browser.
• What other actions can I take to increase the security of Java?

Security for Security Professionals

Security Professionals performing system auditing, threat modeling, architecture, or code reviews of Java applications should familiarize themselves with Java’s security architecture and API documentation.

• Evaluate the Advanced Management Console to secure needed older versions by tracking usage, decreasing the attack surface, and maintaining compatibility.
• Ensure that all systems are up to date with the latest security patches.
• How to check if you have SSLv3 enabled in Java SE (and how to disable it).
• Java SE Security Overview – lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).
• Secure Coding Guidelines – learn defensive coding strategies to properly mitigate weaknesses in software and prevent vulnerabilities.
  • Oracle Secure Coding Guidelines
• Security Specifications:
  • Names of cryptographic algorithms available within the Java Cryptographic Architecture.
  • Java Cryptographic Architecture specification
  • Sandbox Specification
• Verify that all signed code is properly timestamped to prevent early expiration.