Skip to content

Contrast Security is Fully Compatible with Amazon Corretto


Amazon recently released Corretto, a Java 8 runtime that is fully-compatible and license-compliant. Both Contrast Assess and Protect are fully compatible with Corretto – no changes are required to code or anything else for users of Amazon’s Java implementation.

How is Contrast compatible without requiring any changes?

Contrast Assess and Protect apply security controls within applications using a feature that was introduced back in Java 5 (Sept 2004). To quote the official JavaDoc on instrumentation, this feature specifically enables programs like Contrast to monitor program execution by “modification of the byte-codes of methods.”

This feature, in every Java Runtime Environment, means that Contrast will work with all Java implementations above Java 5, 6, 7, 8, 9, and so on.

Similar capabilities are used for other Contrast agents to instrument Ruby, Node, Python, etc.

What is the security impact of Amazon Corretto?

Amazon Corretto is simply a build of the OpenJDK project: it neither introduces nor remediates any security risk. There are, however, two benefits to Amazon Corretto:

  1. Amazon has licensed the official Test Compatibility Kit, a suite of tests to verify compatibility beyond simply compiling OpenJDK. This ensures that everything works as expected, beyond the build tests.
  2. Amazon has committed to post quarterly updates until at least June 2023, which means approximately four years of security updates beyond Oracle’s end of Java 8 public updates in April 2019.

The benefit of Contrast with Amazon Corretto is that it provides the same security visibility, detection, and protection capabilities as it does in any other JRE.

Should Contrast users switch to Amazon Corretto?

All users should make their own decisions, however Contrast is able to support any decision without requiring changes.

The following information may be helpful, but is not intended to make or imply any recommendations:

Java 8 was released in March 2014. In April 2019, Oracle will end public updates. Several OpenJDK builds are available that are compatible for all applications that do not use Oracle-specific features:

Neither Java 9 or Java 10 were Long-Term Support builds. Premier support has already ended for both.

The Oracle license for Java 11 has changed significantly, with Oracle’s build being commercial-only.

Public versions of Java 11 and above can be obtained without cost, from the OpenJDK GPL distribution, AdoptOpenJDK, or a future version of Corretto.

Contrast will fully support all of these without changes, as it works entirely within the Java specification.

Erik Costlow, Director of Developer Relations

Erik Costlow, Director of Developer Relations

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.