General Java Application Security
Interestingly, Java gets a bad rap in the security world even though in many ways Java based applications encourage a number of important security improvements. The bad rap comes from vulnerabilities in the JVM, and the extent to which attackers can use malicious java to run arbitrary code through browsers. This is a reason to give a second thought to web based rich application delivery (applets).
Java is compiled to bytecode and then run in a JVM. Running the code this way generally prevents buffer overflows and memory allocation issues, a very important class of vulnerability that is common in C and C++ programs. Specifically, Java developers rarely have to consciously use or free memory - it is done automatically through garbage collection.
Java is a very rich langauge. This can mean that simple programs create large amounts of objects and use surprising amounts of memory. This is something to watch out for during development as it can result in performance and denial of service issues with an application.
Java applications often use a large number of open source libraries. Since vulnerabilities in the libraries can cause issues, it is important when working in Java to use a tool like OWASP Dependency Check to identify security issues in dependent libraries.
Although Java is compiled to bytecode, it is possible to decompile bytecode to readable Java code. This means that distributing .jar, .war, .ear or .apk files with compiled code is effectively sharing source code for an application.
Java offers very advanced multithreading capabilities. When in doubt, use the concurrrent packages to avoid writing code that isn't threadsafe.
Resources
Support or Contact
Having trouble with the developer pages? Help us update them or [email protected] and we’ll help you sort it out. See something wrong? Get involved and help us fix it!