Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)

Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)

From Foojay.io, the Friends Of OpenJDK! by Foojay.io

May 9, 2026 · 1h 6m · Season 5 · Episode 95

About this episode

The episode discusses the state of Java security, focusing on vulnerabilities, dependency management, and the impact of AI tools.

Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs , to dig deep into the state of Java security in 2025 and beyond. Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall. Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy , to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools…

People in this episode

Host: Frank

Guests: Steve Poole, Dave Welles

Topics covered

  • Java security
  • vulnerabilities
  • dependency management
  • CVE process
  • AI tools in security
  • software development best practices

Keywords

  • Java
  • security
  • CVE
  • dependencies
  • vulnerabilities
  • AI tools
  • software development
  • Maven Central
  • SBOM

Mentioned in this episode

Organizations: HeroDevs, CVE Automation Working Group

Products: Mythos, Snyk, Trivy, OpenRewrite, Renovate

More episodes of Foojay.io, the Friends Of OpenJDK!

Explore listener stats, chart rankings, contacts and more on the Foojay.io, the Friends Of OpenJDK! podcast page.