Java is one of the pieces of the "Security" puzzle and if the Java environment is not secure, your security challenges cannot be solved completely.
TIP #8 August 2019:How can you identify risks related to Oracle Java software and rate them?
To identify risks related to Oracle Java software and rate them, preferably use the Common Vulnerability Scoring System (CVSS) while:
- It is a free and open industry standard for assessing the severity of computer system security vulnerabilities;
- It is being used as a framework for rating the severity of security vulnerabilities in software;
- It uses an algorithm to determine the severity rating score, which may vary from 0 to 10, with 10 being the most severe.
Source: https://searchsecurity.techtarget.com/definition/CVSS-Common-Vulnerability-Scoring-System
Source: www.oracle.com
As the pictures above show, a fair amount of security vulnerabilities has been identified regarding different Oracle Java versions:
- Oracle Java versions 6 and 7 (outdated versions) are scoring high on the CVSS rating;
- The same applies for Oracle Java version 8. Moreover, it is not possible anymore to receive any support by Oracle for critical problems;
- New public versions of Oracle Java do not have access to the latest security patches and bug fixes after 6 months.
Furthermore:
Security risks may cause unacceptable privacy risks and could have financial consequences regarding GDPR regulations, like fines for not complying to these laws and regulations.
On top of all, there is also a potential financial risk, when ‘down-time’ occurs due to security vulnerabilities. For example, due to being hacked or a forced shut-down after a GDPR-violation.