Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)
Failed to add items
Add to cart failed.
Add to wishlist failed.
Remove from wishlist failed.
Follow podcast failed
Unfollow podcast failed
Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)
-
Narrated by:
-
Written by:
About this listen
Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and Dave Welles, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.
Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. Dave, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.
Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.
A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.
Steve Poole
- Foojay Author profile
- Crossing the River Styx: Spring Boot 3.5 and the Zombie Dependency Problem
- Why Java Developers Over-Trust AI Suggestions
Dave Welch
Content
00:00 Introduction of topics and guests
04:00 What are Zombie dependencies?
05:36 What are CVEs?
11:39 How Mythos and other AI tools are influencing the CVE reporting process
16:53 How CVEs in the Java runtime are handled
21:30 How the industry is looking at the increased security threats
30:17 Developers need to make better decisions "the first time" and use the right tools
31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...
44:48 How "safe" is Maven Central compared to other repository systems
50:48 What you can do as a Java developer to make your apps safer
59:01 Should we be scared for the following years and be careful with vibe coding?
01:04:27 Conclusion