Java finally gets a whitelisting feature
The latest Java Development Kit update (JDK 7u40) includes a number of bug fixes, new security features and changes, and among them is one that has been long overdue: a whitelisting option for protecting endpoints.
“The Deployment Rule Set feature is for enterprises that manage their Java desktop environment directly, and provides a way for enterprises to continue using legacy business applications in an environment of ever-tightening Java applet and Java Web Start application security policies,” it is explained in the documentation for the feature.
This feature enables an enterprise to establish a whitelist of known Java Web applications, and those on the whitelist can be run without most security prompts.
For it to work, the new Java Plug-in (available since Java SE 6 Update 10) is required on the endpoints, but also Java 7u40 (the latest version), which will be used to create the rules that will then work for the older version.
The feature has been introduced to help companies that can’t upgrade to the latest Java version and can’t disable the Java plug-in protect its employees.
The rule set is created via a XML file and will be required to be digitally signed with a valid digital certificate issued by a trusted certificate authority.
“The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment. If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java,” the instructions conclude.