How does Azul ensure that delivered software is secure?

Question:

How does Azul ensure that delivered software is secure? 

 

Answer:

Azul does the following to ensure the delivered software is safe and secure:

  • All Azul Zulu builds of OpenJDK are verified compliant with the Java Standard Edition (“Java SE”) specifications using the OpenJDK Community Technology Compatibility Kit (TCK) licensed from Oracle.

  • The TCK is a suite of more than 120,000 tests which ensures that a binary build of OpenJDK meets all the specifications of the individual JSRs for a given version of Java SE (e.g. Java 8).

  • Azul is one of a small number of organizations and companies that licenses the TCKs for Java SE. 

  • In addition to running the TCKs on all Zulu builds, the Zulu QA team also performs extensive testing against a wide range of application stacks and open source projects.

  • All security related questions for OpenJDK are handled by a group of Java security experts called the OpenJDK Vulnerability Group (OJVG). 

  • All Zulu security related questions, including security scans and security testing, are managed through the OJVG..

  • Four of the members of the OJVG are Azul employees

  • You can see an overview of processes for the OJVG here: http://cr.openjdk.java.net/~mr/ojvg/

  • All Zulu releases include the latest Critical Vulnerability Exposure (CVE) fixes. 

  • Azul adheres to the industry-standard quarterly Critical Patch Update (CPU) regime of quarterly updates to incorporate the latest CVE fixes. 

  • The Release Notes for every Zulu release include a list of the CVE fixes incorporated into that release.

  • The Release Notes also enumerate all new features and non-security fixes

  • All Zulu builds are signed to prevent tampering. 

  • Azul provides checksums for all Zulu builds

  • Azul uses antivirus and antimalware protection

  • All Zulu Subscriber Access (SA) builds are compliant with the GNU General Public License v2 with the Classpath Exception (GPLv2+ce). This ensures that your own distributions will be free of classpath contamination that might inadvertently render your own code open source

Azul is currently working on an official Software Development Life Cycle (SDLC) Security Policy document, which is expected to be finalized in 2021.

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful