...
Do not start the JVM with any agents enabled on an production machine. This compliant solution eliminates the -agentlib command line argument and installs a security manager, as required by ENV30-J. Create a secure sandbox using a Security Manager.
...
Also, it is necessary to disable the environment variable JAVA_TOOL_OPTIONS so that JVMTI agents cannot be specified by via this mechanismroute.
Risk Assessment
Deploying a Java application with the JVM Tool Interface enabled can allow an attacker to monitor or modify its behavior.
...