Other Security APIs, Tools, and Issues - How Secure Is Java?
As an organisation we have been through a process of evaluating Java, primarily for the development of applets that will consume SOAP services so as to provide a very rich 'web' interface.
There are however various 'security' concerns that we have no answer for at this time and so we would appreciate your comments based on your own experiences.
Firstly, what security threats does Java face? Something that springs to mind, given the open source nature of Java, is the possibility is that an individual gets hold of the applet related code, de-compiles and tampers with it and manages to get users to use this modified version.
I understand this in itself may not be as easy task but it certainly seems plausible. Are our concerns justified or is it simply our perception of the risk that is wrong?
Secondly, would signing applets overcome our first concern? If all code is signed does this reduce the risk that the code could be tampered with and replaced without the user being notified in some way that something is awry?
Thirdly, the concerns above could be targetted at web apps using Javascript/AJAX as now doubt there are ways and means to intercept js code and tamper with it. However, I would assume that Java is inherently more secure than Javascript i.e. we're not taking a step
backwards by employing Java?
And finally, perhaps not specifically security related, how do you protect intellectual property rights on what has been developed if the there are tools available to decompile code?
Thanks
Chris
