In part one of this exclusive two-part interview, Azul executives Simon Ritter, Deputy CTO, and Dean Vaughan, VP APAC discussed why the ground is shifting beneath enterprises in APAC using Java.
In this instalment, both experts, who have deep ties in open source, offer an insider’s perspective on where Java has been and where it is headed.
Ritter, who joined Sun Microsystems in 1996, wasn’t initially assigned to Java work. During that time, Java was only a year old — the version being JDK 1.0.
“Initially, I was on the Solaris side of things, but I could see that Java was going to be something very big,” he said.
Meanwhile, Vaughan, who has been working in open source for 15 years, has seen the technology evolve multiple times.
“What I’m constantly amazed about is just how readily accepted it is in the enterprise, and how open-source technology is running production systems at such a high level,” he remarked.
Promising start
As soon as Ritter saw Java’s potential, he shifted his focus to the programming language and followed it through the Sun Microsystems era until the company was acquired by Oracle in 2010.
“I ended up at Oracle for another five years, and then Oracle decided to pivot more towards the cloud. The area I was working in focused on developer relations, so I was promoting Java as a platform to developers. Then, Oracle decided they didn’t want me to do that anymore, so eventually, we parted ways,” the deputy CTO said.
After Oracle, Ritter joined Azul in 2015. From a technical and market point of view, he was fascinated with how Java has evolved over the years.
“When I first started doing Java at Sun, we were really trying to push its initial adoption. Being a new language and a new platform, it was a very exciting time to see so many companies adopting it to develop applications. Initially, it was applets on the desktop in the browser, which wasn’t very successful. Suddenly, it moved towards the server side, and that’s where we’ve really seen the power of Java, which is the Java Virtual Machine and its scalability in terms of delivering on the promise of the internet,” he recalled.
During his early years at Sun Microsystems, Ritter and several colleagues started the idea of having ‘Java Champions,’ referring to people in the larger open-source community who contributed to furthering Java.
Back then, Sun employees weren’t allowed to be inducted as ‘Java Champions.’ Today, the rules have evolved so that no Oracle employee can be qualified to be called such.
“The rules say that if you’re a ‘Java Champion’ and you’re hired by Oracle, you lose your ‘Java Champion’ status. But if you leave Oracle, then you get the status back,” he said.
To become a ‘Java Champion,’ an individual has to demonstrate commitment to helping drive Java adoption, whether through a Java user group, conference presentations, articles, or blogs.
“There isn’t really anything that says you have to do something to maintain that status. Once you’re a ‘Java Champion,’ you’re a ‘Java Champion’ for life. You can never lose that status unless you work for Oracle,” Ritter observed.
Open vulnerabilities
Although open source offers limitless possibilities for developers, a sizable amount of risk is also present, which, if left unchecked, can spell disaster for any enterprise.
“Patching is key. Keeping patches steady and up to date is a bigger challenge than when you’ve got a closed application that is custom-built, because everybody knows Linux and Java. The shift when it comes to open source has been the incredible focus on security patching updates. Even more so now than ever, that is far more relevant,” Vaughan said.
According to Vaughan, many organisations approach open source as a do-it-yourself project, opting for the free version of software and applications.
“Especially when you’re a large enterprise, you’ve got to make sure that you keep your environment patched and that the patches are up to date. Open source has so much value to the customer because it generally works with everyone’s technology, but you can’t take a shortcut with it. You have to make sure that you’re supported and covered,” he explained.
There was one particular company, Vaughan recalled, that was still using JAVA SE 6, and because the company hasn’t patched in ages, the vulnerabilities have already piled up.
“This is a really important point: open source is incredible and it is here to stay. It’s a very effective mechanism for taking technology to market, offering a win-win for everyone. However, you must ensure that it is secure,” Vaughan added.
The future of Java
For Azul, the game plan has always been to focus on Java and develop it for more use cases.
One of the projects Azul is contributing to OpenJDK is called Java on CRaC, or Coordinated Restore at Checkpoint.
“For example, you’re working on a document on your laptop. You close the laptop, and it goes to sleep. When you move to another room and open the laptop, your document is instantly there. We want to do the same thing with a Java application. We can freeze a running Java application and later start it from the same point. This could be done multiple times, allowing a microservice to start up quickly, just like opening your laptop,” Ritter revealed.
To achieve this, Azul used a simple Spring Boot application, ran it on a machine, and found it took about four seconds from cold start to the first transaction, which according to Ritter is average for such an application.
Then, Ritter and his team took a checkpoint of the running application and restarted it using the checkpoint. The result was 40 milliseconds from cold start to the first transaction.
“It was two orders of magnitude faster. Imagine the ability to instantly start applications, handle transactions, and deliver services. That’s what we’re working on and we’re very public about it. We’re contributing it to OpenJDK and putting a lot of effort into promoting that as a way of improving Java overall,” he continued.
Additionally, Azul is enhancing Java Virtual Machine to collect more information and expose it to users.
“As an example, when somebody identifies a library that has a vulnerability, like Log4j, what do you do? Everybody was freaking out about Log4j, and the problem for most companies is determining whether they have Log4j because they’re a library short. You might use Log4j directly, but you might have a library that includes Log4j, or even a library that includes another library with Log4j. It’s all because of the nature of open source, where people bundle things together,” Ritter said.
While there are lots of tools out there that can do static analysis of code, Ritter’s team is focused on immediately identifying which machines are exposed to the vulnerability at runtime.
“Therefore, you can go to our intelligence cloud and ask it to show all the machines you’ve got running right now that have that library loaded. The library might be part of the application but not actually loaded because it’s not in use at that particular time. What we can show is exactly what’s being used at any time, and that information is very powerful because you know exactly which machines you need to address first,” Ritter explained.
Ritter added that by monitoring over time, his team can identify which code is not being used. This allows developers to eliminate dead code from applications. If an application has been developed over several years, they can remove code that’s no longer required, streamline the code, streamline maintenance, and reduce the attack surface from vulnerabilities.
Furthermore, the company is ramping up its investment in migration services to ensure that enterprises can seamlessly onboard from Oracle or OpenJDK to Azul Platform Prime or Azul Platform Core.
“We’re investing heavily in what we call ‘customer success,’ where a dedicated team steps in to ensure that the customers are happy with us, migrating easily, and getting the support they need through the migration,” Vaughan concluded.
