This is the typical deployment patterns for Java SE:
On Dekstops: a JRE is installed on the dekstop PC so that the user can either run an applet in his favorite browser or launch a Java SE client program via JNLP/Webstart
Questions: Are all the desktops running the latest secure JRE? Can you make sure the user runs only security approved applications? What are the JRE versions deployed all across my organisation?
On Servers: either the server is hosting a Java SE server application or running an application server.
For applications servers, possibilities are:
Weblogic Server: then starting from the Entreprise Edition, you already have got all that is offered by Java SE Advanced
3rd party application server: Like Websphere or JBoss, which requieres a JRE/JDK to run but don’t always fully support it and don’t provide profiling/monitoring tools for your infrastructure
J2EE-like application server: Like Tomcat, same comment than for Websphere/Jboss
Question: Is there critical applications running on non-Weblogic servers? How do you perform profile/monitoring?
AM I MISSING A SCENARIO THAT YOUR ARE ACTUALLY USING?
Cisco ASR 2014 Report: https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
Bit9 Research Report: “Java Vulnerabilities: Write Once, Pwn Anywhere” and corresponding infographic
59% of Fortune 500 companies experience a minimum of 1.6 hours of downtime per week. The labor downtime alone would be for a Fortune 500 company would be $896,000 weekly translating to $46 million per year – Dunn & Bradstreet and therefore 588K/hour appx
Market Overview
Use this slide to provide an overview of the market for this pillar, ie include Gartner Quadrants, Market Share Numbers, anticipated growth areas, emerging trends or other relevant background, identify specific industries if relevant for specific plays, that speaks to the opportunities in this area.
If markets are different for each sales play include a market summary per Sales Play.
Where applicable, reference key industry (FSI, Public Sector, Retail, Healthcare, Manufacturing etc.) trends and/or considerations that are relevant for a given play.
In some cases, the business drivers may be different. This is critical for sales plays focused on LOB use-cases.
This graph shows you, per version, how many security fixes has been made since EOPU.
So, for instance, if you are running on SE 6u45, the final public release, you will have missed 33 Severity 10 fixes, and a total of 155.
Business Continuity is the core of what businesses today need. However based on their approach to application unavailability (downtime) – either due to older versions, security breaches or high volumes or any of the related reasons …it is Function of the :
Costs of downtime
Historic incidences/Frequency
Criticality to have uptime
Defines their Attitude to approach it
Risk Mitigation ( More like an insurance policy approach)
Risk Management ( More a proactive approach to understand causes and manage them better)
Irrespective of their Attitude to approach it we have a strategy to address their need with Java SE Advanced
A closer look ( next Slide)
Point to emphasize on this slide are:
Java SE follows the Oracle standard of 4 CPUs per year, interleaved with feature releases and/or PSU releases
CPU releases are scheduled 1 year in advanced with all information available here, http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Mission critical applications in above slide are defined as applications that are critical for running core business functions for a customer. Over 90% of enterprises across the world use Java to run core business applications that are critical for their business.
“Auto-update turned off” (also referred to as Controlled JRE updates) feature
Reduced amount of effort required in the configuration of desktop JREs. Today almost every large enterprise uses variety of 'back door' methods to disable AU after a JRE is installed. These include changing Java's registry settings post-install. However they do those changes using unsupported flags and workarounds, and these can change these settings at any time. So customers basically are using an error prone method that is not recommended. AU off feature will allow them better control and reduce the uncertainty.
Taking the ability to update away from users allows administrators better predictability on what java versions are installed in their network. This is extremely critical from a security point of view. Administrators will then use a system administration software like MS SCCM or MS Active Directory to roll out future Java updates.
Supported system configurations for each version of Java can be found at the following links
Java SE 7 - http://www.oracle.com/technetwork/java/javase/config-417990.html
Java SE 6 - http://www.oracle.com/technetwork/java/javase/system-configurations-135212.html
Java SE 5 - http://www.oracle.com/technetwork/java/javase/system-configurations-139801.html
Java SE 1.4.2 - http://www.oracle.com/technetwork/java/javase/system-configurations-139862.html
Simplify JRE installation in an enterprise with Microsoft Windows Installer (MSI) Compatible Enterprise JRE Installer.Available for Windows 64 and 32 bit systems in the Oracle Java SE Advanced products, the MSI compatible installer enables system administrators to provide automated, consistent installation of the JRE across all desktops in the enterprise, free of user interaction requirements. With the MSI Installer in place the common set of features to rollback unsuccessful installations to the previous state, to support repairing broken installations and even to install over broken existing installations can all now be leveraged.
The new Microsoft Windows Installer (MSI) Enterprise JRE Installer is available, which enables user to install the JRE across the enterprise. See "Downloading the Installer" in "JRE Installation for Microsoft Windows" for more information. The MSI Enterprise JRE Installer is only available as part of Java SE Advanced or Java SE Suite. For information about these commercial products, see Oracle Java SE Advanced and Oracle Java SE Suite.The following new configuration parameters are added to support commercial features, for use by Java SE Advanced/Suite licensees only.USAGETRACKERCFG=DEPLOYMENT_RULE_SET=See Installing With a Configuration File for more information about these and other installer parameters.Java Uninstall Tool is updated to provide an option to the user to remove older versions of Java from the system. The change is applicable to 32 bit and 64 bit Windows platforms. See Uninstalling the JRE.
The Java Advanced Management Console 1.0 (AMC), available in the Oracle Java SE Advanced products, employs the Deployment Rule Set (DRS) security features along with other functionality to give system administrators greater and easier control in managing Java version compatibility and security updates for users across the desktops within their enterprise. The AMC tool harvests Java Usage Tracker (JUT) data from desktop clients on an enterprise network and parses that data into a local database. This data is accessible from a custom UI to help the desktop administrator create deployment rule sets that ensure correct application execution.
The Java Management Console is available starting with the release of Oracle JDK 8 Update 20 (8u20) with the Java SE Advanced Products.
AMC will then show you how many times a specific application has run, where the application is hosted, how many different desktops have run it, on what java versions.
This information is used to create rules as we see in the next slide, but it’s also useful for reporting for audits.
With a supported platform, extended security patching and proof that everything is running securely it will be hard to fail an Audit.
AMC will then show you how many times a specific application has run, where the application is hosted, how many different desktops have run it, on what java versions.
This information is used to create rules as we see in the next slide, but it’s also useful for reporting for audits.
With a supported platform, extended security patching and proof that everything is running securely it will be hard to fail an Audit.
Deployment rule set allows a desktop administrator to control the level of Java client compatibility and default prompts across an organization.
Available since Oracle JDK 7u40
Documentation - http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html
Tutorial - https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
That Candygame is not allowed to run at all.
Defeated, the user then decides to pay his bills. The Banking applet attempts to start in the latest version.
7u20 then runs the app successfully.
Point to emphasize on this slide are:
Java SE follows the Oracle standard of 4 CPUs per year, interleaved with feature releases and/or PSU releases
CPU releases are scheduled 1 year in advanced with all information available here, http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Mission critical applications in above slide are defined as applications that are critical for running core business functions for a customer. Over 90% of enterprises across the world use Java to run core business applications that are critical for their business.
“Auto-update turned off” (also referred to as Controlled JRE updates) feature
Reduced amount of effort required in the configuration of desktop JREs. Today almost every large enterprise uses variety of 'back door' methods to disable AU after a JRE is installed. These include changing Java's registry settings post-install. However they do those changes using unsupported flags and workarounds, and these can change these settings at any time. So customers basically are using an error prone method that is not recommended. AU off feature will allow them better control and reduce the uncertainty.
Taking the ability to update away from users allows administrators better predictability on what java versions are installed in their network. This is extremely critical from a security point of view. Administrators will then use a system administration software like MS SCCM or MS Active Directory to roll out future Java updates.
Supported system configurations for each version of Java can be found at the following links
Java SE 7 - http://www.oracle.com/technetwork/java/javase/config-417990.html
Java SE 6 - http://www.oracle.com/technetwork/java/javase/system-configurations-135212.html
Java SE 5 - http://www.oracle.com/technetwork/java/javase/system-configurations-139801.html
Java SE 1.4.2 - http://www.oracle.com/technetwork/java/javase/system-configurations-139862.html
Lets look closer at Java SE Advanced for Risk Management
But please, limit yourselves to a maximum of 4 distinct versions.
Lambda Expressions
It makes writing parallel code easier.... if you look at Java 7 ... Explicitly as serial code or explicitly parallel code...with Lambda expressions- it doesnt matter serial/parallel with minor change you can indicate whether you serial or parallelSimplifies code dev and enhance productivity, possible performance enhancement
StreamsDifferent styles of programming imperative( c) , OOP,functional style construct to Java therefore simplify number of things that are very common in programming... bulk operations.... sort and search less code to do moreStreams and LambdaLambda change to the language syntaxStreams change to the core libraries... Streams acts as an accelerator to how Lambda executes...Less code, more flexible code...simplification and flexibilityAnnotationsMore Errors before deploying of applications, better quality code, less time on code compilations. You can find errors when you file the code .....preempting the error identification in development rather than deployment its speeds up app dev process
Date and Time APIsDate and Time API - Simplified APIs..New interface to handle date and time simpler... in the past date and times are handled..across geography... japanese ...strange way of handling dates...Feel good featureCompact ProfilesCompact profiles - expands the possibilities and applicabilities where java can run in limited foot print
Stripped ImplementationsStripped Implementations... goes with CompactAllows you to create subset of your APIs to run on smaller environment.... flexibility/customisations
NashornNashorn... A new Javascipt engine for folks who want to you Javascript in addition to JavaFirst 4 from a cloud perspective....a) Cloud and others...b) nothing cloud specific...
Asking managers at customer companies…
Ironcially, a lot of these are connected to the fact that Java is free…
But please, limit yourselves to a maximum of 4 distinct versions.