Are You On Java 8 Yet?

From a security perspective, Java 8 introduces a decent amount of features that are helpful and necessary. While the largest selling point of moving to Java 8 is lambda expressions, improvements in annotations, encryption, authorization, and randomization make the latest version a necessary upgrade.

Below are some highlights of the Java 8 security enhancements, and what they can do.

TLS 1.1 and 1.2 are enabled by default, and SSLv3 is disabled.

This is of particular importance due to the security flaws found in SSLv3 last year. This is disabled on both client and server, so upgrading to Java 8 will break anything that uses SSLv3. While this may seem drastic, this will insure that you are not at risk to the POODLE attack.

Access Controller (JavaDoc) has been updated to follow the principal of least privilege.

The framework has been updated to allow for a list of privileges to be passed in when defining access control. Instead of allowing for full access, developers can now specify which permissions should be granted. This helps to mitigate attacks, because users will only have access to things they’re supposed to have access to.

Stronger algorithm support for password-based encryption.

Java 8 supports several Advanced Encryption Standard (AES) based encryption algorithms, like PBEWithSHA512AndAES_256. While there is still no built in support for some of the other popular algorithms (bcrypt, scrypt), it does support PKB. This makes it easier for developers to store passwords securely. This makes it more difficult and expensive to run brute force attacks (where software attempts to guess the password), and helps to keep your passwords secure in the event of a database breach.

Better support for random number generation.

The SecureRandom class now includes the method getInstanceStrong(), which returns the strongest SecureRandom available on each platform. Developers still have the ability to specify an implementation, but this makes it easier to make sure that a strong, secure one is used. Insecure Randomness is an OWASP vulnerability, so any improvements in random number generation are important.

Whether you’re a developer, or a company, consider upgrading to Java 8.