If we disable Java, what do we replace it with to ensure we can still get that functionality we've grown dependent on? The security community is denouncing Oracle over yet another zero-day vulnerability in Java. With that criticism comes the repeated expert advice that people disable it. But I must ask — if we disable Java, what do we replace it with to ensure we can still get that functionality we’ve grown dependent on? I wonder this as I read a story from Antone Gonsalves on the latest backlash. He writes: Java is used in 3 billion devices worldwide, says its steward, Oracle. The platform’s ubiquity makes it a favorite hacker target, along with the fact that the platform often goes unpatched in people’s computers. Security company Rapid7 estimates that 65% of the installations today are unpatched. “Many people don’t even know Java is installed on their computers and browsers, and that’s a huge problem,” said Andrew Storms, director of security operations at nCircle. Oracle contributes to the problem by not working more closely with the security industry in building better defenses in Java, Storms said. The company shares very little information with security experts between patches. Experts recommend disabling Java in Web browsers, unless it is needed to access specific business applications. In the latter case, a separate browser should be dedicated for the sole purpose of accessing those applications. “IT departments should really consider if users need to access Java for business critical applications, otherwise, they should get rid of it,” said Rob Rachwald, director of security strategy at Imperva. Another option is to configure a client firewall to block a browser’s Java plug-in from accessing the Internet, unless the destination site is on a whitelist. The question I started off with might seem juvenile to some of you, but I ask as someone who admits to not having all the answers. That’s when I try turning this blog into a forum for your ideas. And so I ask: If our best option is to disable Java, what are the best alternatives? If one is dealing with a host of business-critical apps that won’t run right without Java, what are some alternative options aside from those Antone mentioned above? Post your ideas in the comments section below, and thanks for participating! Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe