Thursday, March 24, 2016

Night of the living dead Java software

Oracle is releasing yet another Java patch out of cycle.  Like all out of band patches, this one is rated critical.  Like any good security professional, Rendition Infosec will recommend that you patch if you use Java.  But we're going to take it a step farther and suggest that you start planning to migrate away from your Java technology portfolio altogether.

Whoa - we spent a ton on developing our Java project
So what. Admit it was a mistake and move on.  We invest in technologies all the time that end up being complete failures.  The US Navy thought Zeppelins were a good idea for aircraft carriers in the 1930's, but abandoned the idea when it was obvious that it was a failure (both airships crashed within two years of entering service).  The US Navy didn't lament how they needed to keep building these obviously vulnerable craft since they had invested so much.

On the civilian side, nobody wanted to fly on a Zeppelin either after the Hindenburg disaster.  But there was a huge investment in airship technology.  The Empire State Building had plans for an airship docking station.  Great idea in theory - you could "land" in downtown New York.  But they scrapped the idea when it was obvious that:

  1. Airship travel in general wasn't safe
  2. Nobody wanted to travel by airship, especially if they had to dock at the top of a building

Aren't you overreaching comparing Java to the Hindenburg?
No. Not at all.  Yeah, I know it's hard to see the people running away in flames when vulnerable Java installations are exploited.  But they are there - believe it.  Nobody shouts "the humanity" during mass exploitation either.  But perhaps we need that to make decision makers understand the impact.  I think that management needs some really powerful visuals to gain understanding.  Otherwise they see their investment in Java timecard/inventory/HR/blah systems and are afraid to turn away.  Give them a powerful enough visual to make it real.

But Java can be made safe if only we patch/remove serialization/blah....
Stop. No, seriously. Stop.  I'm going to come back to the Hindenburg.  After the disaster, those who had heavily invested in airship technology tried to talk about how it can be safe if only we take x number of precautions.  But people realized those precautions weren't realistic, airships went away.  It's time you do the same with Java.  Start planning for how to migrate away.  It won't happen overnight, so start planning now.

Your Zeppelin analogies suck and are really distracting
Bah! If you don't like that analogy, try SPARC.  SPARC on the desktop died as DoD recognized that it was a sinking ship and migrated desktops to Wintel, despite their massive previous investment.  Some of the technology they migrated to Wintel is still less responsive than it was on the SPARC platform, but overall the migration was still a huge cost savings for DoD.  Bottom line: Java is not a sinking ship - but it will blow a giant hole in the hull of your ship and you're certain to take on water (or worse) in no time.

You're a moron and you're totally wrong
Think I'm wrong?  Feel free to tell me about it in the comments or on your favorite social media network...


  1. I don't think you're wrong but I do think companies are willing to accept the risk. One of the Fortune 10 companies I relies heavily on Java after a previous blow up, they started and then scrapped the replacement. Mostly because it was cheaper for them to be down, then re-design everything.

    1. Yeah - there's that. What's your risk tolerance vs. what's the cost to replace. I totally understand. But I still hold my position that accepting the risk is like riding the Hindenburg2 in a lightning storm with a full smoking section and open flame at every dining table.

  2. Thank you Jake. Great post, love it. In my work, i´m the only one trying to make my superiors realize the mistake that we are all doing trying to use java as our main application, but it has been a battle were i have been a losing battle, because they do not want to see the big picture. thank you and a i agree with you 100%.


Note: Only a member of this blog may post a comment.