IMAGE: Azul
By Scott Sellers
Addressing Java vulnerabilities often feels like navigating an endless game of “Whac-a-Mole”, with relentless threats and a never-ending stream of alerts. This ongoing battle can be draining for development and security teams, transforming what should be a routine task into a persistent challenge.
The situation isn’t improving for organisations. In 2023 alone, there were around 23,000 reported vulnerabilities, with approximately 10 per cent impacting Java applications.
Compounding the issue, while Java’s extensive range of libraries, frameworks, and tools offers substantial benefits due to their open-source nature, a clear strength of the Java platform, it also means that the potential damage from a single attack can be extensive.
A notable example is the Log4j vulnerability from 2021, which is regarded as one of the most critical zero-day flaws ever discovered. Nearly 80 per cent of businesses reported being affected, with about half of them suffering indirect consequences due to the additional workload placed on development teams.
Despite countless hours spent identifying and addressing vulnerable Log4j versions, a recent study reported that more than a third of Java applications are still running outdated, vulnerable versions.
For CIOs, the challenge is twofold: responding swiftly to critical flaws is crucial, yet achieving this can be difficult with limited DevOps resources and the noisy, often ignored, alerts from security scanning tools.
However, there are actionable steps CIOs can take to strengthen application security across their Java infrastructure more efficiently –
Monitor production stacks: Regularly check your software in production to avoid running insecure code. Vulnerability scanning and Software Composition Analysis (SCA) during development and build phases alone are not enough. Continuous patching of vulnerabilities and upgrading to the latest secure versions should be a continuous focus. Establish procedures to verify and update authenticity, and enable alerts from approved maintainers.
Manage alert fatigue: According to the Orca Security Cloud Security Alert Fatigue Report, many organisations use multiple public cloud security tools, often resulting in overlapping alerts and an influx of false positives. This redundancy leads to developers and security teams questioning the reliability of these tools. Frequently, they invest time discussing flagged vulnerabilities with vendors, only to find out the issues were non-existent, which is a significant productivity drain. The report also highlights that alert fatigue disrupts teams, careers, and business performance – 62 per cent of respondents said it contributed to staff turnover, and 60 per cent experienced internal friction due to alert fatigue.
Think of an improvement to Java as an improvement to operations: Companies today must innovate rapidly, speed up time to market, and secure their applications while managing with fewer resources. Enhancing the efficiency and security of Java applications directly benefits operational performance. According to McKinsey’s Developer Velocity Index (DVI), companies in the top quartile achieved 60 per cent higher total shareholder returns and 20 per cent greater operating margins compared to those in the bottom-quartile. These top performers also grew 4-5 times faster and scored 55 per cent higher in innovation.
Java remains a robust and widely adopted platform for enterprise applications. To stay ahead of Java vulnerabilities, a holistic approach is required – one that involves proactive monitoring, effective alert management, and recognising that secure, high-performing Java applications are crucial for operational success.
CIOs who prioritise these strategies will be better positioned to stay ahead of competitors and drive their digital business initiatives forward.
Scott Sellers is co-founder and CEO at Azul
