by Jean Atelsek, John Abbott
The vendor is broadening its remit with capabilities to continuously monitor Java
applications in production for known vulnerabilities. Together with support/
maintenance offerings for Azul Platform Core and Azul Platform Prime, the new service
addresses the top two challenges to cloud-native adoption: security and cost.
INTRODUCTION
Azul is broadening its remit with capabilities to continuously monitor Java applications in production for known vulnerabilities. Together with support/maintenance offerings for Azul Platform Core (a commercialized variant of the OpenbroadJDK implementation of Oracle Corp.’s Java SE) and Azul Platform Prime (a version with a souped-up Java compiler), the new service addresses the top two challenges to cloud-native adoption: security and cost.
THE TAKE
The Java platform has been a fixture in enterprise computing for almost 30 years — Java remains one of the most widely deployed programming languages, and the broad-based OpenJDK developer community has helped the platform adapt to fast-changing IT conditions. Azul (formally known as Azul Systems) has long hitched its wagon to Java’s star, adding enhancements at the runtime layer to optimize performance and thus reduce costs, giving customers such as Netflix Inc., BMW AG, Mastercard Inc. and Salesforce Inc. a way to “do more with less” across their Java infrastructure. As cloud deployments grow and applications become distributed across a wider range of systems and venues, real-time visibility into software vulnerabilities is critical. With its recently released Azul Vulnerability Detection service, the company is widening its portfolio to help clients address the issue across environments via Java virtual machines.
Context
Azul takes advantage of Java’s prowess in handling transactions and business logic at the runtime layer,
where it has built a fast compiler into Azul Platform Prime JVM to handle the most demanding workloads.
The company touts the efficiency of its platform as a way to maintain performance at reduced cost, bringing resources into better alignment with actual usage. This has been a perennial promise of public cloud, and the need to build cost awareness and efficiency into the development workflow is becoming more urgent as deployments grow: 451 Research’s Voice of the Enterprise: Cloud, Hosting & Managed Services, Cloud Spending 2022 survey indicates that 58% of organizations spent more than expected on public cloud in 2022 — 18% were more than 30% over budget — and 68% expect the price tag for cloud to be even bigger in 2023.
Another pain point in cloud-first development is security (see Figure 1). A top priority for addressing this concern is to discover and remediate known vulnerabilities in software builds, and this is the opportunity Azul is pursuing with Azul Vulnerability Detection.
Q. What are the primary barriers to greater use of cloud-native technologies such as containers, Kubernetes or serverless in your organization?
Base: Organizations with cloud-native technologies in use or proof of concept for application development/deployment (n=226)
Source: 451 Research’s Voice of the Enterprise: Cloud Native, Adoption & Usage 202
Products
Azul Vulnerability Detection, which reached general availability in November 2022, is a SaaS add-on to Azul’s two flagship offerings, Azul Platform Core and Azul Platform Prime.
The vendor describes Azul Platform Core (formerly known as Zulu Enterprise/Embedded) as a drop-in
replacement for Oracle Java SE. The fully supported build of the software (a free community edition is also
available) is intended for commercial Java applications where stability, solid commercial support and more competitive pricing are the primary requirements. Azul Platform Core includes quarterly updates with new OpenJDK features, security patches and bug fixes, as well as out-of-cycle critical fixes. The product offers long term support for older versions (including JDK 8 and JDK 11) that are still widely deployed, as well as backported updates and defined service-level agreements.
Azul Platform Prime (previously called Zing) adds engineering and features to accommodate the most
demanding, latency-sensitive workloads. The intellectual property in Azul Platform Prime has been developed over the 20-plus years the company has been in business and refined with each OpenJDK release. Key to its performance is a proprietary just-in-time compiler (Falcon) that enables higher throughput per JVM and thus requires fewer nodes to do the same work. This version also features a warmup accelerator for speeding application start times. For AWS users, Azul Platform Prime supports Graviton2 and Graviton3 processors — the vendor notes that Graviton3 in particular represents an inflection point for Java price performance on AWS and claims 26% faster speed for Azul JVMs than vanilla OpenJDK running on Graviton3 machines.
With Azul Vulnerability Detection, the company is adding a SaaS service to protect applications in production, checking against a continually updated, Java-specific database of common vulnerabilities and exposures in the cloud. Because monitoring and detection capabilities are built into Azul JVMs, the approach is agentless and incurs no performance penalty. Azul says AVD minimizes false positives by focusing on libraries and packages that are in use rather than simply present, basically performing a software composition analysis each time an application is run. The service retains detection history, storing data in an isolated single-tenant instance — a record of components present and in use can be accessed via a REST API or web interface.
Business Model
Among others, Azul Java runtimes help power the cloud infrastructure of Netflix, Workday Inc., Salesforce and Priceline; software made by Adobe Inc., Software AG and SAS SE; and the operations and products of Avaya, BMW, Credit Suisse Group AG, Deutsche Telekom AG, LG Electronics Inc. and Mastercard. Based in Sunnyvale, California, the vendor now has about 300 employees.
Azul has always served customers willing to pay a premium for low latency and high throughput. Earlier in its history, the primary target was the financial services sector. But with a wide range of compute-intensive applications that can materially benefit from quick access to huge datasets — think streaming analytics, media processing and machine learning — the company is emphasizing the impact of its products’ performance on the cloud price-performance equation.
Azul Platform Core generates 40% of revenue, while Azul Platform Prime accounts for most of the rest. Most new customers are rotating off of Oracle Java SE or other non-Oracle JDK distros — Azul Platform Prime buyers may also be upgrading from Azul Platform Core. Both versions are available via an annual subscription and priced on a per-vCore basis with discounts for higher volumes. An Unlimited tier is available for Azul Platform Core, and the company is considering a similar offering for Azul Platform Prime. Azul Vulnerability Detection starts at $35,000 per year for a license with Premium support (Standard and Platinum support tiers are also available), and the vendor charges an additional $0.85 to $3.50 monthly per monitored JVM.
Competition
Azul both competes and cooperates with Oracle: Some of its large cloud and software provider customers
clearly feel more comfortable dealing with an independent company than directly with Oracle. After moving to require a subscription to use Java in production for commercial applications in 2018, Oracle in 2021 reintroduced a free license, but it applies only to the latest versions and limits free updates to three years after each release. In January, Oracle created a new Java SE Universal Subscription for future purchases that charges per employee (including temps and contractors) rather than by Java instance, causing consternation that costs will increase for most buyers (Oracle asserts that customers of now-legacy subscriptions will be able to renew them under the existing terms).
At this point, many other distributions of OpenJDK are available, including versions from Alibaba, Amazon, BellSoft, IBM, Microsoft, Red Hat, SAP and Tencent Holdings Inc., many of them at no extra cost for users of the vendors’ programs/platforms. Azul Vulnerability Detection joins commercial vulnerability scanning tools available from Invicti, Snyk, JFrog Ltd., Synopsys Inc. and others, along with open-source options, broader application security suites and cloud providers’ own scanning services.
SWOT Analysis
Copyright © 2023 by S&P Global Market Intelligence, a division of S&P Global Inc. All rights reserved. These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable. No content (including index data, ratings, credit-related analyses and data, research, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of S&P Global Market Intelligence or its affiliates (collectively, S&P Global). The Content shall not be used for any unlawful or unauthorized purposes. S&P Global and any third-party providers, (collectively S&P Global Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Global Parties are not responsible for any errors or omissions, regardless of the cause, for the results obtained
from the use of the Content. THE CONTENT IS PROVIDED ON “AS IS” BASIS. S&P GLOBAL PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Global Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages. S&P Global Market Intelligence’s opinions, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P Global Market Intelligence may provide index data. Direct investment in an index is not possible. Exposure to an asset class represented by an index is available through investable instruments based on that index. S&P Global Market Intelligence assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P Global Market Intelligence does not endorse companies, technologies, products, services, or solutions. S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process. S&P Global may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P Global reserves the right to disseminate its opinions and analyses. S&P Global’s public ratings and analyses are made available on its websites, www.standardandpoors.com (free of charge) and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P Global publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.