
Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)
From Foojay.io, the Friends Of OpenJDK! by Foojay.io
May 9, 2026 · 1h 6m · Season 5 · Episode 95
About this episode
The episode discusses the state of Java security, focusing on vulnerabilities, dependency management, and the impact of AI tools.
Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs , to dig deep into the state of Java security in 2025 and beyond. Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall. Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy , to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools…
People in this episode
Host: Frank
Guests: Steve Poole, Dave Welles
Topics covered
- Java security
- vulnerabilities
- dependency management
- CVE process
- AI tools in security
- software development best practices
Keywords
- Java
- security
- CVE
- dependencies
- vulnerabilities
- AI tools
- software development
- Maven Central
- SBOM
Mentioned in this episode
Organizations: HeroDevs, CVE Automation Working Group
Products: Mythos, Snyk, Trivy, OpenRewrite, Renovate
More episodes of Foojay.io, the Friends Of OpenJDK!
- The End of JNI Pain: How WebAssembly Is Quietly Replacing Native Libraries in Java (#98) · June 13, 2026 · 44 min
- From Scripting Language to AI Powerhouse: How BoxLang Is Redefining JVM Development (#97) · May 30, 2026 · 49 min
- Run 35 AWS Services Locally FREE: Floci, Quarkus and GraalVM-Powered, LocalStack Alternative (#96) · May 23, 2026 · 36 min
- More Than a Blog: How Foojay Connects, Sustains, and Evolves the Java Community (#94) · May 2, 2026 · 60 min
- Update Your JDK, Read More Code, and Talk to Your Users: Interviews From VoxxedDays Amsterdam (#93) · April 11, 2026 · 1h 9m
- Java 26 Is Here: What's New, What's Gone, and Why It Matters in 2026 (#92) · March 14, 2026 · 50 min
Explore listener stats, chart rankings, contacts and more on the Foojay.io, the Friends Of OpenJDK! podcast page.