CERT Secure Coding Standard for Java: Theory and Practice

The CERT Secure Coding Standard for Java is a comprehensive set of rules and recommendations for writing secure Java applications. If you care about the security of Java code that you write, make sure to check it out (the C Secure Coding Standard has already made it into a book, and its C++ sibling is in progress, just in case.)

In practice, however, developers that read secure coding guidelines or best practices documents mostly apply the new knowledge to their future work. In the best case, they may have the time to review the code they have written recently. And even then, their now-more-secure code may be just a tiny portion of a large enterprise application combining lots of legacy stuff with code written in other departments, commercial components, etc., running on top of an open-source framework inside a proprietary container.

Even with the help of static code analysis tools, the costs of discovering and eliminating all the security vulnerabilities in such an application may be prohibitive. However, the costs of reducing their exposure may be acceptable. But why is the level of such exposure so high for Java apps in the first place?

For further discussion, continue to my article “Protect Your Java Code – Through Obfuscation And Beyond“.


Excelsior provides practical solutions for the protection of desktop applications based on Eclipse RCP, Tomcat Web applications, and plain Java SE applications.

Categories: Java

Tags: , ,

Comparative Study of Java Startup Time

The recently issued Excelsior JET 7.2 was, in essence, a maintenance release, because the Excelsior Java team is now mostly focused on the development of the 64-bit version of Excelsior JET. Nevertheless we have managed to include one major feature in this release – Startup Accelerator.

Combined with Startup Optimizer available in previous versions of Excelsior JET, it delivers a noticeable improvement in Java applications startup time. We have prepared a short comparative study backing this statement:

Java vs Native vs Optimized Java

The following startup time comparison includes different RSS feed readers: two native Windows applications (FeedDemon and FeedReader) and one implemented in Java (RSSOwl). The latter was run on the standard JRE 1.6.0_20 and then compiled with Excelsior JET 7.2 Professional Edition/profile 1.6.0_20.

These applications were run on a mid-range laptop (dual-core ULV Intel Celeron SU2300, 2GB RAM), and their warm and cold startup times measured as the time to fully display the main window.

As you can see, the RSSOwl application optimized with Excelsior JET starts:

  • 2x to 3x faster than on the JRE
  • about as fast as the similar native applications

References

Java Startup Time solution page: optimization guidelines, FAQ

Excelsior JET: product info

Categories: Excelsior JET, Java

Tags: , ,

Nicolas Fränkel: Safely give away your demo applications

Nicolas Fränkel in his blog recommends using Excelsior JET to protect your demo Web applications.

Categories: Excelsior JET, Java, Tomcat

Tags: , , ,

Export RCP Apps As Native Executables Right From Your Eclipse IDE

Excelsior JET Eclipse plug-in for RCP developers enables you to export your Eclipse RCP application in native code form and deploy it in the wild without the easy-to-hack jar files.

Just compare the structure of exported RCP applications to see the difference:

How Excelsior JET works

With the Eclipse plug-in for Excelsior JET , the exporting of RCP applications to native code can be done in three simple steps.

STEP 1: Invoke the Export wizard

Click the Excelsior JET button in the Eclipse toolbar.

Eclipse toolbar

The export wizard window will appear.

STEP 2: Select destination

You may export your RCP application into a directory as if you were using
the standard Eclipse Product export wizard, or wrap the application
into Excelsior Installer to enhance the end-user experience.




Specify the desired Product Configuration file and enter the path to the destination directory or to the installer executable you wish to create.

STEP 3: Export!

Click Finish. The exporting process will start.




Upon successful completion, a dialog will appear, displaying
the location of the exported application.

From this dialog, you may also get instructions for the headless build of your RCP application with Excelsior JET and test drive the application installer, if you opted for its creation on STEP 2.

Note: Eclipse RCP applications exported with Excelsior JET no longer need
the JRE to run.

Plug-in installation

You may find detailed instructions and Update Site URL to install this plug-in into your Eclipse IDE on this page.

Resources

Whitepaper: Two Ways of Securing Eclipse RCP Applications (obfuscation vs. native pre-compilation.)

Case studies: RCP developers share their experience with Excelsior JET.

Video tutorial: standalone tools providing the advanced features of Excelsior JET, such as startup time optimization, Java Runtime Slim-Down, installer branding, and others.

Excelsior JET for Eclipse RCP page: product information, sample applications, etc.

Categories: Eclipse RCP, Excelsior JET, Product Updates

Tags: , , , , ,

Approaches to Java Modularization Compared @Javalobby

Our CTO Vitaly Mikheev has posted to Javalobby a new article covering Sun’s Java Kernel and Project Jigsaw and our Java Runtime Slim-Down:

Future in the Past: a Lightweight Java SE Runtime

If you read it, please make sure to vote! Comments are most welcome too.

Categories: Excelsior JET, Java

Tags:

Java and OSGi Runtimes Blended Together

Excelsior JET is a compliant Java SE JVM (yes, it has passed the awesome huge JCK testsuite).

Today news: Excelsior JET 6.5 supports the core of Eclipse Runtime (Equinox OSGi) at the JVM level. Specifically, wiring OSGi bundles, consistency checking before execution and lazy activation of OSGi bundles are supported.

What are the benefits of deploying applications with the JVM that serves as an OSGi container?

As Excelsior JET supports ahead-of-time compilation, the developers of commercial Eclipse RCP and Equinox applications benefit from the ultimate code obfuscation and protection of sensitive data: the applications can be compiled down to native code executables and distributed without the original jar files. Java decompilers are left at bay.

Moreover, merging Java and Equinox Runtimes results in the most secure environment for running Eclipse RCP applications. The environment blocks tampering with OSGi bundles and injecting unauthorized code via Java classloading hooks by protecting the Eclipse Runtime itself.

Finally, the consistency of Eclipse RCP applications can be checked statically to prevent run-time errors.

Flash demo, customers’ success stories, sample RCP applications compiled to native code (including the Eclipse IDE) and fully functional trial downloads are available here.

Official press-release
Excelsior JET home page

P.S. This new version of Excelsior JET is mostly focused on Eclipse RCP. However, the implemented Java Runtime technology can be used in other areas where OSGi shines, e.g. for Spring DM. We would greatly appreciate your feedback on this topic.

Categories: Eclipse RCP, Excelsior JET, Java

Tags: , , ,

Java SE 6u10 (aka Consumer JRE) and Excelsior JET

Update 09-Dec-2008: We have released the Java SE 6 Update 10 support add-on for Excelsior JET 6.4.

Update 13-Oct-2008: Thanks to everyone who responded by email or in the comments below. Sun has postponed its release, so we had no choice but to concentrate on beta 2. But now we know that Java SE 6 Update 10 support is very important for a number of our customers, and will start working on the respective Excelsior JET add-on as soon as 6u10 becomes generally available.

We are seeking input from Excelsior JET users to help us prioritize our engineering efforts for the next few weeks. Specifically, we need to know your plans for moving to Java SE 6 Update 10, and here is why:

As you may know, Sun Microsystems is about to release Java SE 6 Update 10 (formerly known as “Update N” and “Consumer JRE”). They describe it as “an update release that introduces new features and enhancements aimed at providing an optimized consumer end user experience.”

Among other improvements are fully hardware accelerated graphics pipeline (Windows-only) and a new Swing look & feel called Nimbus. As the Java SE API implementation in Excelsior JET Runtime is licensed from Sun, these improvements will be available to our product users as soon as we publish the respective add-on.

Now, we could start working on that add-on as soon as Sun releases Java SE 6u10, putting Excelsior JET 6.5 development aside. Or we could continue 6.5 development until reaching the Beta 2 milestone, scheduled to Sep 15. Problem is, two key developers were going to take vacations after that milestone, so the add-on release would be delayed for a few weeks in this case.

That said, would you please let us know if you need to move to Java SE 6u10 ASAP? You can do that by posting a comment below or dropping a line to java at excelsior-usa.com.

Categories: Excelsior JET, Java

Tags: