CGISecurity Logo

Article: Java security: Is it getting worse?

" Java has long boasted a reputation for being a secure programming
language. Lately, however, that reputation has come into question. Java
has been accused of being susceptible to cross-site scripting (XSS) and
other similar input attacks like SQL injection.

Is the security of Java itself getting worse, or is the
security of Web applications using Java weakening? Are XSS attacks
enabled by poor Java coding, or poor Web application design? In this
tip, we'll examine Java's security capabilities, the recent exploits
that have caused some to question Java and best practices to keep Java
applications safe.

Java has a number of built-in security features that don't
exist in other languages. For example, it checks the size of input
data, which prevents buffer overflows, a common exploit where an
attacker floods an application with more data than it can handle. A
buffer overflow can crash an application or, if crafted properly,
ignite a process which allows malicious access into a system.

Unlike other languages, such as C and assembly, Java
automatically cleans up after itself. After an application closes, Java
clears out memory used by the application with a garbage collection
system. This process, which works silently in the background, prevents
other exploits that can take down an application by overloading its
memory. "

Paper Link: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1263607,00.html