At its root, the problem is this: running someone else's code on your computer is a risky activity. Who is to say what the code might try to do and whether or not its activities will be malicious?
This is not a new problem by any stretch of the imagination. In fact, it's really an old problem with a new twist. Nonetheless, the magnitude of the risks is impressive as anyone familiar with Melissa and ExploreZip can attest.
The Java platform was designed to manage mobile code risks. Java is especially cool since it is cross-platform, object oriented, network-savvy, and uses modern memory management. In addition, Java's designers attempted to create a system that simultaneously ensures type safety, allows dynamic class loading, and offers policy-based fine-grained access control built on stack inspection.
Sounds great! But from a smart card perspective, the question is whether Java Card is really like Java at all. What's there and what's not? What risks are managed? What are swept under the rug? This talk explores Java security issues as they relate to Java Card 2.1 and the Visa Open Platform.
Dr. McGraw is a noted authority on mobile code security and co-authored both Java Security: Hostile Applets, Holes, & Antidotes (Wiley, 1996) and Securing Java: Getting down to business with mobile code (Wiley, 1999) with Prof. Ed Felten of Princeton. Dr. McGraw is currently writing a book entitled Software Security for Developers (2001). He regularly contributes to popular trade publications and is often quoted in national press articles. URL's: