What is the focus of your Java strategy?

Compliance, Security, Costs

Where is the Focus of Your Java Strategy?

Compliance, Security, Costs: What is the Focus of Your Java Strategy?

In April 2019, the rules for Oracle JDK Licensing were changed to require a commercial subscription in order to deploy security patches and updates for Java (personal usage and development excluded).

More than a year has passed and there are many lessons to be learned by analyzing the different Java strategies and approaches that organizations have put in place. Read on to learn more about the results of strategic conversations, projects and advisories we’ve had with our customers and the perspective we’ve gained by supporting them in defining their Java strategies.

For many organizations, the biggest challenge when it comes to Java has been the lack of visibility and control over thousands of software installations across different versions. Besides the usage of commercial features, Oracle Java could also be deployed for free with security patches available online

What is the focus of your Java strategy?
Customers' challenge with Java, source: SoftwareONE

Oracle Java 8 is the most widely used version but we still see installations of 7, 6 and even Java 5 in some customer environments. The most recent Long Term Support release, Java 11, is also gaining in popularity and usage.

While the latest security patches and updates for Java 8 and 11 are available to download online for free, in most cases their deployments require a subscription.

Although Oracle released several announcements about the planned licensing changes beforehand, we still saw a significant amount of confusion and the need for guidance across our customers. Around 50 percent of the companies that took part in our recent SoftwareONE webinars (in both DACH and North America) said they have not yet taken any actions on their Java strategy, even one year after the licensing changes.

Top Three Scenarios for Your Java Strategy

For those organizations looking to optimize their Java strategy, we have created the following three scenarios to provide guidance for the compliance, financial, and security perspectives.

1. Focus on Compliance

There is a short-term solution to avoid the risk of deploying Java patchsets without owning the required subscriptions - remove those that fall into this category and replace them with older patchsets, as long as the applications support them.

This, however, requires your organization to have an inventory solution in place that can identify all of your Oracle Java installations and highlight where compliance issues might arise. In the picture below all Oracle JDKs previously updated to a patchset requiring a subscription have been moved back to a “compliant” situation.

What is the focus of your Java strategy?
Scenario 1 - Compliance, source: SoftwareONE

This compliance-focused scenario is a reactive approach that many organizations have adopted to limit their financial risks before defining their long-term Java strategies. However, it means neglecting the need to patch Oracle Java as they would with any other software.

Strength of Scenario

Criteria Evaluation

2. Focus on Security

Organizations that identify security as the main priority for their Java strategies might have business applications that are highly dependent on Oracle Java and cannot afford to have them unavailable, even for a few hours. Therefore, they decide to cover their business critical environments with Oracle Java subscriptions and cover both security and compliance while doing so.

In the picture below all Oracle JDKs are being updated to the latest available patchset.

What is the focus of your Java strategy?
Scenario 2 - Security, source: SoftwareONE

As a matter of fact, more than 600 vulnerabilities have been found on Oracle Java since 2007 and security patches are released quarterly to provide a secure environment.

Strength of Scenario

Criteria Evaluation

3. A Hybrid Focus

The strongest scenario is one that is based on compliance, costs and security simultaneously.

By identifying and implementing an OpenJDK distribution as a possible alternative to Oracle JDK, organizations can leverage a community-based distribution to upgrade and patch the software without any additional subscription costs. Alternatively, for organizations that require support, commercial subscriptions are available for OpenJDK as well.

Implementing OpenJDK and setting it as a standard requires testing to understand its compatibility with applications. The good news is that starting with JDK 11, the differences in the binary code between Oracle and OpenJDK have reduced significantly.

In the picture below “uncompliant” Oracle JDKs are being migrated to OpenJDK and upgraded to the latest patchset.

What is the focus of your Java strategy?
Scenario 3 - Hybrid focus, source: SoftwareONE

A hybrid strategy can be pursued by organizations in the middle-long term to generate financial savings, ensure security and reach compliance.

Strength of Scenario

Criteria Evaluation

When determining your long-term Java strategy, you’ll want to focus on the financial, security and compliance aspects. Whatever your Java roadmap is, SoftwareONE - with its 50+ Oracle and Java experts worldwide and its unique technology to recognize applications running on Java - is here to help you define your roadmap and support you along the way.

What is the focus of your Java strategy?
SoftwareONE Java Expertise

Java Advisory Services

SoftwareONE’s Java Advisory Services offers comprehensive intelligence based solutions that ensure your company is fully covered regarding the latest Java licensing changes.


Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Massimo Borrelli

Presales Oracle & SAP Services

EuroCloud Europe, CSAM, ISTQB Certified Tester, ITIL Foundation Certificate

Related Articles

Oracle Fusion Cloud

Oracle Fusion Cloud - Common Compliance Issues

Early adopters of Oracle’s Fusion Cloud Services have been confronted with the first “compliance claims.” In this article we focus on the most common compliance issues seen at these customers.


Oracle Java Release 17 - Is it Free Again?

On September 13th, Oracle released its new Long Term Support (LTS) release of Oracle Java: Release 17. Many end users claim that with this new release, Oracle Java is “free of charge” again. But is it?


Oracle Cloud – Setting Up Individual Users

In this article we focus on how the actual license metrics of Oracle’s Fusion Cloud Services dictate the importance of setting up and monitoring your users in a complete and accurate manner.