<p>Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from <a href="https://www.herodevs.com/" target="_blank" rel="ugc noopener noreferrer">HeroDevs</a>, to dig deep into the state of Java security in 2025 and beyond.</p><p>Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.</p><p>Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven&#39;t cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running <a href="https://snyk.io/" target="_blank" rel="ugc noopener noreferrer">Snyk</a> or <a href="https://trivy.dev/" target="_blank" rel="ugc noopener noreferrer">Trivy</a>, to adopting <a href="https://docs.openrewrite.org/" target="_blank" rel="ugc noopener noreferrer">OpenRewrite</a> and <a href="https://docs.renovatebot.com/" target="_blank" rel="ugc noopener noreferrer">Renovate</a> in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.</p><p>A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.</p><p><br></p><p><strong>Steve Poole</strong></p><ul><li><a href="https://www.linkedin.com/in/noregressions/" target="_blank" rel="ugc noopener noreferrer">LinkedIn</a></li><li><a href="https://foojay.io/today/author/steve-poole/" target="_blank" rel="ugc noopener noreferrer">Foojay Author profile</a></li><li><a href="https://foojay.io/today/crossing-the-river-styx-spring-boot-3-5-and-the-zombie-dependency-problem/" target="_blank" rel="ugc noopener noreferrer">Crossing the River Styx: Spring Boot 3.5 and the Zombie Dependency Problem</a></li><li><a href="https://foojay.io/today/why-java-developers-over-trust-ai-dependency-suggestions/" target="_blank" rel="ugc noopener noreferrer">Why Java Developers Over-Trust AI Suggestions</a></li></ul><p><br></p><p><strong>David Welch</strong></p><ul><li><a href="https://www.linkedin.com/in/dwelch2344/" target="_blank" rel="ugc noopener noreferrer">LinkedIn</a></li></ul><p><br></p><p><strong>Content</strong></p><p>00:00 Introduction of topics and guests<br>04:00 What are Zombie dependencies?<br>05:36 What are CVEs?<br>11:39 How Mythos and other AI tools are influencing the CVE reporting process<br>16:53 How CVEs in the Java runtime are handled<br>21:30 How the industry is looking at the increased security threats<br>30:17 Developers need to make better decisions &quot;the first time&quot; and use the right tools<br>31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...<br>44:48 How &quot;safe&quot; is Maven Central compared to other repository systems<br>50:48 What you can do as a Java developer to make your apps safer<br>59:01 Should we be scared for the following years and be careful with vibe coding?<br>01:04:27 Conclusion</p>