Oracle is not a company I’m fond of. I dislike its business practices immensely and its security stance has historically been very much a reactive one. I realize that they have immensely complex products, but when quarterly patches regularly cover dozens of security fixes, it’s time to start wondering how seriously they take security.
Over the last couple of weeks, though, two things have happened that give me some hope that a new direction is coming. They don’t yet cause me to change my recommendation that Java should be removed where feasible and secured where it must be present, but it’s a good change nevertheless.