 |
Foojay.io, the Friends Of OpenJDK!Author: Foojay.io
The podcast of foojay.io, a central resource for the Java communitys daily information needs, a place for friends of OpenJDK, and a community platform for the Java ecosystem bringing together and helping Java professionals everywhere. Language: en Genres: News, Tech News, Technology Contact email: Get it Feed URL: Get it iTunes ID: Get it |
Listen Now...
Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)
Episode 95
Friday, 8 May, 2026
Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and Dave Welles, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. Dave, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.Steve PooleLinkedInFoojay Author profileCrossing the River Styx: Spring Boot 3.5 and the Zombie Dependency ProblemWhy Java Developers Over-Trust AI SuggestionsDave WelchLinkedInContent00:00 Introduction of topics and guests04:00 What are Zombie dependencies?05:36 What are CVEs?11:39 How Mythos and other AI tools are influencing the CVE reporting process16:53 How CVEs in the Java runtime are handled21:30 How the industry is looking at the increased security threats30:17 Developers need to make better decisions "the first time" and use the right tools31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...44:48 How "safe" is Maven Central compared to other repository systems50:48 What you can do as a Java developer to make your apps safer59:01 Should we be scared for the following years and be careful with vibe coding?01:04:27 Conclusion
