HD Moore, the chief security officer at Rapid7 and the creator of Metasploit, an open-source penetration testing toolkit used by both legitimate and criminal hackers, was willing to cut Oracle some slack on last week's flawed update.
"We have to keep in mind that it was released under duress and did help with the immediate problem of consumers being compromised," said Moore of Oracle's rapid turn-around. He also assumed Oracle engineers are continuing to work the problem for a higher-quality update. "But given its complexity, and requirements with backward compatibility, it may be a while before this class of flaws is finally put to rest," Moore added.
All three experts called on Oracle to adopt a Microsoft-esque approach, where security is an integral part of the development process.
Called Security Development Lifecycle, or SDL, by Microsoft, the process includes regular code reviews as a product is created, and includes development practices designed to reduce the number of vulnerabilities. Windows Vista was the first Microsoft OS to use SDL start to finish.
While Oracle has something similar dubbed "Oracle Secure Coding Standards," and has published secure coding guidelines for third-party Java developers, it's unclear whether the firm has used its own Secure Coding Standards practices on Java, which it inherited from Sun Microsystems in 2010.
If it has, the experts said, it's not working.
"If Oracle wants Java to be successful within the browser, they will need to make serious investments into the security model," said Moore, who added that the Oracle Secure Coding Standards "hasn't been enough."
"What Oracle needs now is something similar to the Microsoft Trustworthy Computing initiative," said Storms of the Redmond, Wash. developer's overarching security-minded project, launched in 2002 after then-CEO Bill Gates' famous memo. "[Oracle] needs an executive with a strong vision and the ability to force the organization to build 'management by objectives' around security."
Gowdiak beat the same Java drum as Storms. "From what we have learned so far investigating Java SE 7 code, the overall impression is that certain new code features/new additions have not been the subject of any security review," he said.
Changing Java's security model won't be easy, Moore acknowledged, what with the need for backward compatibility; Java's ambition to be all things to all users and on all platforms, from enterprise and consumers to desktop, mobile and the Web; and its reliance on an interpreter-level sandbox.