Java security: present and near future

2 there has been strong and growing interest in Java's security as well as in new security issues raised by this technology's deployment. These concerns have reached the mainstream—the New York Times, the Wall Street Journal, and others have run stories on Java security. However, we must examine Java's trustworthiness comprehensively, from a broad dependability perspective, 3-6 not simply from the journalistic view. A simplistic statement such as " Java is [or is not] secure " doesn't come close to capturing the complexity of the issues involved. To pass judgment on whether Java is a trustworthy language or platform, we must precisely specify requirements of the overall system— in this case, computer systems and the global Internet infrastructure. Only then can we hope to demonstrate vigorously that the platform architecture satisfies or contributes to the satisfaction of the overall requirements, and that the platform's actual implementation satisfies the architecture's design requirement. Unfortunately, neither of these two crucial steps is feasible for security today. The shape and the characteristics of the national (or global) system infrastructure are evolving rapidly. Consequently, such widely used terms as " Internet security " cannot capture the essence of the trustworthiness required of such an infrastructure. (Admittedly, such terms were not very helpful in the past, either.) Moreover, though formal methods have been used successfully to verify some hardware devices, they are not sufficiently advanced to address correctness issues of large-scale software systems. Given this state of affairs, we must use an alternative (albeit less scientific and idealistic) set of criteria to examine platform trust-worthiness. From an industrial point of view, such criteria must include the following considerations: • Usability—To be ubiquitous and accepted in the marketplace, the platform must be easy to use for building small-and large-scale systems and applications. • Simplicity—To inspire confidence in its correctness, the platform cannot be too complex to analyze (by code inspection or testing, for example) for critical properties. • Adequacy—The platform must contain all essential features and building blocks for supporting higher-level trust-worthiness (security) requirements. • Adaptability—The platform must evolve with ease, following demand and market reality. Judged by these (perhaps biased) criteria, Java scores very favorably compared with other existing languages and programming systems. In particular, Java's platform independence greatly reduces the complexity— and thus the probability of design and implementation errors—of dealing with heterogeneous environments. The " write once, run everywhere " philosophy also helps improve …