I am definitely not a fan of Java security updates. Experts say so aren’t many companies.
It appears ‘Java is responsible for 91% of attacker entries into networks, with the possibilities linked to major sources like Microsoft Office, Adobe Reader and others. Adobe’s software, in particular, has taken much abuse from hackers over the years, so those numbers really stand out. From a compliance perspective, it is stated that an organization can run into issues with the likes of HIPAA and PCI DSS if they don’t eliminate Java from their environments, or at least lock it down.’
Hackers target Java to get into company systems and network, so it’s not a good idea to ignore it. On the one hand Java security vulnerabilities require patching just like any other platform but on the other they can cause hell. The updates most often cause programs to completely stop functioning.
So what do we do? Totally eliminate Java or run a non-compliant application or do the upgrade and break the application?
If eliminating Java is a possibility then the recommendation is to go with it. Or, have a work around with a compensating control that PCI DSS allows while adhering and following up on several other security measures to close the gap.