Building secure applications is difficult because modern applications are built in layers. In order for an application to be secure, all of the application's layers must be secure. This assurance is one of the benefits that Java technology brings to the table; Java makes a believable claim for providing a secure application foundation.
It's possible for one layer of an application to exhibit a flaw that compromises the security of the entire application. Hundreds of applications that depend on the zlib compression library were rendered vulnerable to possible exploitation because a double free was found in the library logic. Even the Linux kernel itself was affected.
This isn't a phenomenon that is limited to free software projects. In February, CERT issued an alert about possible holes in implementations of SNMP (Simple Network Management Protocol). These vulnerabilities were caused by problems with implementations of ASN.1, a widely used standard for encoding data. ASN.1 is used in many applications beyond SNMP, and all of these applications might be at risk.
Several Java security libraries use ASN.1. Although I have no evidence that these libraries are vulnerable, this episode points out the importance of being able to trust -- and independently verify - the security of the components and libraries that our applications depend upon. Most Java developers I know aren't working with ASN.1, but they are working with the popular alternative known as XML, and the same rules apply -- it's wise to consider the security of the layers our applications depend upon before we are victimized by their flaws.