Test your Java brew

The Java programming language was a breakthrough in the early days of the Internet. What made it so revolutionary at the time was that Java allowed an online application to run on computers with different operating systems (Macs, PCs, etc.). Sun Microsystems released Java in 1995. Today, Java is overseen by Oracle, which acquired Sun in 2010.

Not only has Java proved critical for software development, but the programming language is also widely used in logistics-related applications. Indeed, many supply chain software vendors write their applications in Java. (C Sharp is the other language commonly found in supply chain software.)

That's why when the U.S. Department of Homeland Security issued a warning in January about Java, it was the source of some concern. The federal government advised computer users to disable Java on their Web browsers because hackers could install malicious software on computers running Windows, Mac OS, or Linux. Although the warning was issued to the public, it raised an important question for the supply chain community: Are logistics managers who are using Java-coded supply chain software leaving their operations vulnerable to cyberattack?

According to executives at supply chain software companies using Java, the government's warning is more applicable to consumers than business users. That's because supply chain software runs Java on the servers that host the application. Vishal Minocha, senior global product manager for supply chain solutions at Infor, notes that his company's Java "runs on the server, which does not cause any security vulnerability." Adds Prakash Muthukrishnan, senior director of product strategy at supply chain software developer Manhattan Associates: "The identified Java vulnerabilities [cited in] the government warning are applicable only to applets [that] run inside a browser and not applicable to Java running on servers, stand-alone Java desktop applications, or embedded Java applications."

Java applets are generally used to provide interactive features for a Web browser, such as stock tickers or scrolling text. (Hence the government's advice that browser users disable the Java plugin.) "The Java security risks recently in the news are specific to Java code downloaded and run on the client side browser using Java plugins or applets," says Robert Nilsson, vice president and general manager of software and supply chain intelligence at Dematic Corp. "Applets are not widely used for enterprise applications." He adds that Dematic does not use Java applets in its suite of applications, thus reducing any potential security threat.

Although supply chain vendors say the government's warning is not pertinent, software security experts note that Java run on servers is not immune to hacking. Joseph Feiman, a vice president and fellow at the technology research firm Gartner Inc., says that hackers can penetrate Java enterprise applications. In particular, hackers can engage in a sequel injection attack, which tries to trick the application into surrendering all the records in a database. Another type of potential attack is a buffer overflow attack, in which the hacker tries to overwhelm the data buffer in order to trigger the execution of malicious code or allow the release of confidential data.

Although logistics managers likely don't have to worry about the current warning, they should press their supply chain software providers to make sure their applications are routinely inspected for security vulnerabilities. "Because hackers invent new kinds of attacks, it requires continuous testing," says Feiman. "If you tested your software a month ago, you have to retest it."

In addition to regular testing, Nilsson, for one, believes the time has come for supply chain software vendors to develop security standards. "Selecting Java over another programming language is not the issue—having security built into the programming standards in place is," he says. "The logistics and supply chain industry should look into developing and implementing standards similar to those in place for credit card transactions for secure interoperability throughout the supply chain network."