While many security professionals are ready to toss Java–the favored target of attackers’ exploitation efforts–out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.
Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java–72 workers needed it for online-meeting software–versus its relative threat–a handful of malware infections could be traced back to the exploitation of a Java vulnerability.
“Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people,” he says. “Now I can answer questions about the security of the business.”