The Asia-Pacific market is experiencing a momentum shift in Java usage, with organisations racing to adapt to new developments.
Azul, a company solely focused on Java, is witnessing its largest growth in the region, with a 37% year-on-year increase in bookings for Fiscal Year 2024, and three major trends are causing this disruption.
In this first of a two-part exclusive interview, Dean Vaughan, VP APAC, and Simon Ritter, Deputy CTO, both from Azul, spoke with Frontier Enterprise during Azul’s PartnerConnect Summit in Bangkok.
Trend #1: Localisation and rising cloud costs
In Southeast Asia, locally developed apps are enjoying significant success compared to Western counterparts such as Uber or eBay due to localisation. One example is Grab’s acquisition of Uber’s Southeast Asian operations, Vaughan noted.
“Grab was prepared to invest in local language for the other countries that Uber, quite frankly, wasn’t. The net result is that these organisations are now facing high cloud costs and are looking for ways to minimise them. And they are, of course, choosing Java,” he said.
Despite the existence of other programming languages, Java is widely adopted in Southeast Asia, Vaughan added.
“Those programming languages might be better in some ways, but what good is building an application in a programming language where you can’t find trained developers? So, there’s a proliferation of SaaS-based organisations needing to cut costs, particularly in Southeast Asia, where stretching that dollar is crucial,” he explained.
Vaughan pointed out that even in Thailand, there is a strong developer community and substantial adoption of local applications.
“Thai is such a unique language, and the population here supports this industry,” Vaughan remarked.
Trend #2: Security and compliance
In India, a crackdown on banks and financial institutions is forcing last-minute compliance after the government discovered several organisations cutting corners on application security.
One particular bank, Vaughan observed, was leveraging OpenJDK to avoid paying Oracle or other provider licensing costs.
“That bank decided to use the free version, even though it’s only 70% to 80% secure. They’re taking on that risk. The problem is, depending on the Java version you’re using, there are several known vulnerabilities. Hence, if you don’t have that version fully patched, you’re exposed,” he said.
To complicate matters, cybercriminals are alerted about vulnerabilities whenever Java custodians, an exclusive group of individuals with significant contributions to Java development, announce patches for a particular Java version.
“When I was still with Sun Microsystems, we started this idea of Java champions/custodians around 2005-2006, which aimed to recognise people in the wider Java community. Today, we have about 390 Java champions, including six from Azul, myself included,” Ritter recalled.
As soon as hackers are aware that a certain organisation hasn’t been patched yet, it will only be a matter of time before disaster strikes.
“They know that a bank in India, for example, is running version 17, and it has certain patches that can be exploited, so they target it. The Indian government is very aware of this, so they’re holding the financial institutions to account, and they’re saying you must have the licences, and you must be patching the latest version,” Vaughan said.
At the moment, Azul has already engaged five of the top 10 banks in India, along with three financial service institutions, and one of the country’s largest securities firms.
“There was a major financial institution with which we were nearing a deal, but they were dragging their feet through procurement. The minute they knew that the RBI was coming in to audit them, they started ringing us to get the documents done. So, they placed the order in time before the Reserve Bank of India audited them. This is the kind of pressure these organisations are facing right now,” Vaughan said.
Across Southeast Asia, the company is also in discussions with banks in the Philippines, Malaysia, and Indonesia.
“We explained to them that they’re trading against newer players, and these new guys are running faster Java, where the difference is so minute, but it can equate to millions of dollars in savings,” Vaughan pointed out.
Trend #3: Oracle’s crackdown
Last year, Azul noticed that Oracle was building its Java team via a LinkedIn posting.
“The ads clearly said knowledge of software compliance required, so we know they were building out their Java team. You can pretty much draw a timeline from when we saw the ads on LinkedIn through to now. Hence, it was three months to find someone, three months to onboard and train them, and another three months to start sending letters and speaking to their customers. Now, that’s where we’re at, and the customers are ringing us,” Vaughan said.
On January 23, 2023, Oracle changed its pricing scheme for Java SE. As a result, organisations were charged based on their number of employees — full-time, part-time, and temporary.
“What’s happening is that the customers are receiving notifications from Oracle saying, ‘We know you’ve been using a lot of Java, and we know that in most cases in Southeast Asia, customers haven’t been paying for it. Therefore, you’ve downloaded the licences and been running Java for the last couple of years. We know it, and here’s the bill.’ Definitely, the customers are freaking out,” Vaughan stated.
Forward strategy
When it comes to open-source projects, customers have become more cautious, especially with recent instances of malicious code being embedded.
Azul, which leverages OpenJDK, has strong governance and controls over who can and cannot commit code to the project, Ritter noted.
“Even with the idea of taking the source code and building it, you need to be able to prove that what you’ve taken is identical and you don’t have anything that’s been injected as you do the build. Therefore, we’re looking at how to have the necessary proof so that we can show exactly what we’ve done to potential customers,” the Deputy CTO said.
In the case of banks and financial institutions, which are under tight regulation, Azul demonstrates how they build the software to ease any concerns.
Ritter explained that Azul also focuses on providing a software bill of materials (SBOM). This SBOM allows them to prove what is actually included in the software, giving an extra level of surety that no bugs are introduced as part of their processes. He highlighted this as one of the most significant initiatives on their platform.
“Unfortunately, there are financial institutions in Asia — whether it’s just a little bit of ignorance or naivety — that are exposed to vulnerabilities. It’s partly on us to educate the banks on how vulnerable they are, because they think they’re okay. However, when we sit down and explain to them that these many hacks happen through Java, they’re quick to make the changes they need to,” Vaughan said.
The second part of this exclusive Azul interview can be read here.