SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
#
MarTech
#
Application Security
#
Advanced Persistent Threat Protection

Video: 10 Minute IT Jams - An update from Azul

Wed, 9th Nov 2022
FYI, this story is more than a year old
Author image
By Zach Thompson, News Editor

Azul has launched a new solution aiming to make Java applications faster and more secure. The company, which has been developing Java technology for two decades, is now targeting a key gap in software security for enterprises across the Asia-Pacific region.

Eric Costlow, the Senior Director of Product Management at Azul, outlined the company's vision in a recent interview. "Azul has been around for about 20 years and we create a fully compatible drop-in replacement to any Java virtual machine that a company is using today," he said. "That helps them run their applications significantly faster by improving performance at lower cost because you pay by compute."

While Azul's virtual machine has long been used to boost Java application performance, attention is now turning to security. The urgency of this focus is heightened, Costlow explained, by global shifts in regulatory and compliance expectations. "One of the challenges that's facing every organisation today worldwide, and the Monetary Authority of Singapore is one of the driving forces over in Asia Pacific, is the role of knowing what software you have, having an inventory and where that software may be vulnerable," he said.

As software becomes more deeply embedded in all aspects of business, the risks relating to insecure components and libraries have grown. Costlow described the problem: "With the proliferation of software…we have a lot of applications that are just very widely deployed and when a small component or a library in that application becomes vulnerable, it puts that organisation at risk of being hacked and having their data compromised."

To address this, Azul is launching a new vulnerability detection solution for Java workloads. Instead of requiring businesses to scan every application component separately, or to insert 'gates' into development pipelines, the solution enables "security testing by just listing what the components are that make up that software." Costlow said, "We give organisations the opportunity to use their runtime environment at production speed to build that inventory and know where they use vulnerable components without having to scan everything, because there are many paths to production."

Traditional approaches to software composition analysis, Costlow explained, tend to focus on build pipelines or container scans—leaving critical gaps once applications enter production. "They miss the components that you download like Apache Kafka, Cassandra or infrastructure components, and they miss the deployment to virtual machines," he noted.

Azul's newly launched product operates within the running Java virtual machine itself, providing what Costlow called "that final production verification for any workload in production to help you know if that workload is vulnerable."

On why he considers this a game-changer for Java, Costlow pointed to the limitations of Java's existing security model. "The Java security model has been largely outdated for about over a decade now where they had a component called the Security Manager that was present and actually is now deprecated," he said. Rather than relying on external, bolt-on security, Azul is "taking the security learnings and putting it into the JVM. We make it possible for teams to do it significantly easier than anything that they do today for wherever they run these Java applications."

According to Costlow, this approach is in step with the direction of the broader software security industry, which increasingly focuses on visibility—a so-called "software bill of materials" (SBOM). As he put it, "One of the things in the security industry is the creation of SBOMs, that is a software bill of materials, or something that helps you know what software makes up your application."

But by targeting production environments, rather than just development or container environments, Azul aims to plug a major security blind spot. "The gap that we are looking to fill is the ability to do that in production workloads," said Costlow. "By operating in production, wherever the workload runs, we get you that final gap of knowing what is in that piece of software and if it's vulnerable."

For developers, this new method means a more focused way to manage security risks. Costlow advised, "The main thing that Java developers should be looking out for is to pay attention to what their software is actually doing, because the role of security is extremely broad and it can mean a lot of different things." He suggested a pragmatic approach: "If you stay focused on what your application does and what your libraries are set to accomplish, now you have filtered the broader attack surface…down directly to the application and you've made it a lot more pertinent for that individual user or individual developer."

He gave a practical example: "I should still worry about Log4j if I'm using a vulnerable version of Log4j, but if I've already patched, it's not really a threat to me. It's nice to know about." By harnessing runtime data to build the threat model, Costlow argued, businesses can save time and direct resources more efficiently. "By staying focused on what your application does, essentially using the runtime to build the threat model, it makes it a lot easier for you to get actionable information and make good use of your time."

Azul's new offering comes at a moment of rising awareness about the risks posed by outdated or insecure software building blocks, especially in mission-critical business environments. As regulations and customer expectations mount, Costlow is optimistic that integrating security directly into the core of Java platforms is the way forward.

"All right, thank you very much for the time," he said as the interview concluded.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Barracuda boosts threat detection with multimodal AI upgrade
Facebook ads scam uses celebrity faces to spread malware
Care & tech jobs surge as traditional roles decline in Australia
BlueVoyant launches tailored Microsoft Security optimisation service
Mid-market APAC firms boost cybersecurity but lag in AI use
Top stories
New report reveals major security flaws in multimodal AI models
AI trends in video surveillance focus on ethics, hybrid models
Broadcom forces VMware clients to roll back crucial updates
Fortinet launches FortiGate 700G with AI & quantum protection
DXC launches solution with SAP & Microsoft to boost AI use