• United States




Just patch Java? Easier said than done

Jan 16, 20134 mins
Data and Information SecurityIT LeadershipJava

You'd think the seriousness of the latest Java threat would force companies to patch or turn off Java in a hurry. It's not that simple

Every company whose security I’ve audited has a Java problem — an ongoing one that long predates the current threat.

Java provides a convenient attack vector for most of the malware arriving in companies — not just the annoying stuff, but advanced persistent threats, money stealers, and more. Despite the intricate nature of the recently discovered flaw, simply keeping Java patches up to date (including the latest Oracle patch) would vastly decrease the risk.

[ Also on InfoWorld: Java security comes down to ‘war of attrition.’ | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

So why, in literally every company I’ve audited, does Java remain so badly patched?

Mainly, it’s the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can’t patch Java in a more timely manner because doing so breaks too many vital applications.

In other words, this dependency is not just an excuse — it’s not the same as, say, neglecting to keep your Windows Server patches up to date. Patching Java presents an operational risk because it has a better chance than nearly any other patching operation of breaking applications. For every patch, you may well need to commit serious resources to testing.

No wonder, then, that the IT people involved complain about how they are powerless to do anything — how their very jobs would be at risk if they caused the predicted operational interruption. I understand their frustration, but not their powerlessness.

I wonder what would happen if IT told the CIO, the CEO, the board of directors, that “Hey, we recognize our No. 1 problem, and it’s been the No. 1 problem for years, but we’re throwing our hands up and not doing anything about it.” I wonder how senior management would respond?

If you are tired of unpatched Java being a continuing unresolved problem, if you are tired of business units always pushing back saying you can’t upgrade Java because it will break their apps, don’t politely ask them anymore. Instead, create a whitepaper for your company. Show them how unpatched Java is wrecking havoc across the enterprise. Show them how Java is the No. 1 problem and causing the most risk.

Then present the challenges. Then present the solutions. Then send this paper to your boss and hopefully up the chain of command until it reaches and gets approved by the CIO.

You can’t fix the problem, because of the potential operational issues, until you have the seal of approval from senior management. So get on with it! Get senior management involved.

I can’t think of a C-level officer, when shown his company’s No. 1 problem in a particular area, who won’t feel a fiduciary duty to commit the resources to allow his people to solve that problem. Not doing so would put that officer at risk to his own bosses.

In most companies senior management has no idea that Java is their No. 1 problem. I’ll go further: In most companies, most of the IT security staff doesn’t understand that Java is their No. 1 problem. How can you expect to solve your problems if the senior managers involved and the worker bees don’t understand the risks and threats?

That’s the silver lining behind this latest and most serious threat: No one can ignore the problem anymore. Responsible companies are going to need to carve out the resources to address it.

This story, “Just patch Java? Easier said than done,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author