Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95) episode artwork

EPISODE · May 9, 2026 · 1H 5M

Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)

from Foojay.io, the Friends Of OpenJDK! · host Foojay.io | Java and Programming Community

Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.Steve PooleLinkedInFoojay Author profileCrossing the River Styx: Spring Boot 3.5 and the Zombie Dependency ProblemWhy Java Developers Over-Trust AI SuggestionsDavid WelchLinkedInContent00:00 Introduction of topics and guests04:00 What are Zombie dependencies?05:36 What are CVEs?11:39 How Mythos and other AI tools are influencing the CVE reporting process16:53 How CVEs in the Java runtime are handled21:30 How the industry is looking at the increased security threats30:17 Developers need to make better decisions "the first time" and use the right tools31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...44:48 How "safe" is Maven Central compared to other repository systems50:48 What you can do as a Java developer to make your apps safer59:01 Should we be scared for the following years and be careful with vibe coding?01:04:27 Conclusion

Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.Steve PooleLinkedInFoojay Author profileCrossing the River Styx: Spring Boot 3.5 and the Zombie Dependency ProblemWhy Java Developers Over-Trust AI SuggestionsDavid WelchLinkedInContent00:00 Introduction of topics and guests04:00 What are Zombie dependencies?05:36 What are CVEs?11:39 How Mythos and other AI tools are influencing the CVE reporting process16:53 How CVEs in the Java runtime are handled21:30 How the industry is looking at the increased security threats30:17 Developers need to make better decisions "the first time" and use the right tools31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...44:48 How "safe" is Maven Central compared to other repository systems50:48 What you can do as a Java developer to make your apps safer59:01 Should we be scared for the following years and be careful with vibe coding?01:04:27 Conclusion

NOW PLAYING

Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)

0:00 1:05:55

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Big Old Life: Heather Blackbird interviews people on planet earth. Heather Blackbird loves asking questions. This podcast is a learning experience. Join me, Heather Blackbird, as I talk to people about their lives. Frequency of new episodes is a little all over the place and I'm learning as I go. Big Old Life is a small way of talking about the vastness of life, one person at a time. If you are reading this or found this podcast it's probably because someone you know gave you a link to it. :) Explicit Tales Of A Superstar DJ The Insomniac Spun seemingly out of nowhere from her complacent life in the corporate world, turned seemingly overnight from 16-Hour shift work and into the life of a literally starving artist and working musician, The Protagonist navigates her supposed rise to fame and superstardom on a journey through spiritual awakening, coming-of-age, and intimate self-realization--guided by an omnipresent force and equipped with the power of love, magic, and music. {Enter The Multiverse.} [The Festival Project] The Festival Project, Inc.™ is a multidimensional multimedia platform which encompasses exploratory and artistic social personifications and expressions on cosmic theory, spirituality, growth, health & wellness, philosophy and theoretic dynamics in entertainment such as music, design, film, television, radio, dance and festival culture, art, fashion, literature, and science. The Festival Project™ and its subsidiary Non-Profit, The Collective Complex © aims to challenge modern artistic and philosop Explicit Bitcoin Is Dead Trey Carson Welcome to Bitcoin is Dead, the ultimate Bitcoin variety show where host Trey takes you on a journey through the ever-evolving world of Bitcoin. Each episode brings new personalities, fascinating locations, and insightful conversations with politicians, educators, and innovators shaping the future of Bitcoin. Whether you're a seasoned Bitcoiner or just starting your journey, tune in for thought-provoking discussions, unique perspectives, and a deep dive into the ideas and people driving the Bitcoin revolution. Explicit The Sacred +Profane Podcast nephtaragrace The Sacred + Profane Podcast is a provocative conversation dedicated to cementing a better future for all. We specialize in unpacking the nuances of what is considered sacred and profane, particularly focusing on sex, death, and all that pertains to the circle of life. Our aim in focusing on such ”taboo” subject matter is to demystify what is unconscious, bring to light what has been known for centuries as ”the occult,” and empower the rapid transformation that is occurring on the Planet. Explicit

Frequently Asked Questions

How long is this episode of Foojay.io, the Friends Of OpenJDK!?

This episode is 1 hour and 5 minutes long.

When was this Foojay.io, the Friends Of OpenJDK! episode published?

This episode was published on May 9, 2026.

What is this episode about?

Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve...

Can I download this Foojay.io, the Friends Of OpenJDK! episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!