How to maximize ROI by choosing the right Java partner for your organization

By: Scott Sellers, Co-Founder and CEO, Azul

After almost 30 years, Java remains the programming language of choice for large-scale enterprise applications in the cloud, on-prem, or hybrid. Its versatility, reliability, stability, and open-source and third-party libraries and frameworks make developing and running applications very efficient.

In January 2023, Oracle changed its licensing and/or pricing for Java for the fourth time in four years. According to State of Java Survey and Report 2023, an independently run study of more than 2,000 Java users, Java users have taken notice. In fact, 82% of participants are concerned about Oracle’s most recent Java pricing and licensing change and 72% are considering alternative Java providers.

Companies typically change Java providers to reduce their total cost of ownership, but they often realize unanticipated benefits including enhanced security readiness, improved performance, and often cloud cost optimization. Some Java providers are better equipped to meet an organization’s needs and lower its TCO than others. Ensuring that the new Java provider meets your organization’s needs is critical before making a decision. Asking the right questions in a request for information (RFI) helps gauge the quality of service a potential Java partner will provide.

Here is a list of questions to ask as you consider your migration options from Oracle Java to an alternative provider:

1. Can you help create an inventory of Java (particularly JVM/JDK) usage? Providing scripts or working with qualified partners can help companies understand all the components in their Java fleets. This can save big money later because Oracle charges based on employee count for even one instance of Oracle Java.
2. Are your JVM/JDK binaries Technology Compatibility Kit (TCK) tested? TCK tests are the suite of tests that ensure that distributions are compatible with each other and pass the technical qualifications for each Java version.
3. What versions of Java do you support, and for how long? Working with a vendor who supports a wide range of supported versions prepares an organization for the expected requirements coming out of its Java inventory process.
4. What operating systems and architectures do you support? In addition to the operating systems and CPUs currently in use, companies should seek a provider who supports operating systems and architectures they may want to move to in the future, for example Arm64 in the cloud, macOS, etc.
5. Do you provide quarterly security updates on stabilized builds with a service-level agreement (SLA)? Organizations can stay up to date from a security perspective and also minimize the risk of an expensive regression by updating to stabilized Java builds each quarter. These builds have been used in production worldwide for three months. Also known as Critical Patch Updates (CPUs), stabilized builds provide security-only fixes that ensure Java applications are secure and compliant with internal policies and external regulations.
6. Do you backport fixes to security issues in later releases to all supported versions on an SLA? Large organizations often have departments running on older versions of Java, such as Java 6, 7 or 8. You need a vendor who backports patches for newly reported vulnerabilities across all these versions.
7. What is your track record for releasing binaries immediately after the embargo on quarterly security updates is lifted? Even leading providers of OpenJDK sometimes must delay the release of new quarterly release binaries by several days or even weeks, leaving enterprises vulnerable during the delay window. A provider should release updated binaries within an hour of the embargo release.
8. Will you provide out-of-cycle updates for critical common vulnerabilities and exposures (CVEs)? Vulnerabilities with the highest scores in the Common Vulnerability Scoring System (those described as “critical”) must be patched right away and may require an out-of-cycle fix. Otherwise, organizations could be exposed for weeks or months.
9. Do you support optional components such as JavaFX? Organizations that run applications that use JavaFX need a JDK provider who supports JavaFX-based components.
10. Do you provide indemnification in case of patent litigation? Patent indemnification protects software users against patent infringement claims. Some JDK providers cover legal costs or damages if a third party claims a company is infringing on its patents through its use of the provider’s JDK.
11. Do you provide protection and indemnification against GNU Public License (GPL) contamination? OpenJDK is predominantly licensed under GPLv2, which can require the source code of the Java application to be released to the open source community in certain situations. A JDK provider should ensure that software using its JDK is free of GPL contamination risk and provide appropriate legal indemnification.

Choosing the right Java provider is a critical decision that can have a significant impact on your organization’s success. By asking the right questions and considering the total cost of ownership, you can ensure that you choose the best Java provider for your needs. By doing so, you can not only reduce costs but also improve security readiness, performance, and cloud cost optimization without taking unnecessary risks.

For more information, download a complimentary copy of Azul’s Open JDK Migration for Dummies guide.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts