(07-27-2015, 07:30 PM)kilishan Wrote: What has your experience been in the University with IDE's built on Java. For example, I use PHPStorm, but the thread is about Netbeans, so it's all a similar boat. Any idea the potential things we should be protecting against here?
I tested Netbeans, and some other free Java-based IDEs in 2012, and found them too slow (on Windows) to be usable, and most of the major security news about Java came up later, so I never re-evaluated them.
When it comes to end-users, our biggest problem is usually that we have so little knowledge of what they're actually running before they get infected, and it's very difficult to lock down machines when people are used to the level of freedom they have typically had on their machines. Most of the people running Java here are doing so either because of an application from SAP which requires Java or because the University (or the CSU system) uses it for specific applications.
The most important protections for Java are to make sure it is completely disabled in every browser on the machine (and re-check the configuration after every update) and that it is constantly updated. Zero-day infections do not seem to be as common with Java as with Flash (though, honestly, Adobe had a problem for a long time with their internal version control system being open to people who were releasing exploits for their software, so it's no wonder they might still have issues with zero-days), but nothing has changed to make the initial findings about Java by the US Department of Homeland Security irrelevant.
