Fortify Software has released a report (pdf file) through its Java Open Review Project that confirms a commonly held belief that software components written in Java are, in general, more secure than components written in languages such as C or C++. However, the report warns that the security of Java components is often compromised through the sample code and the interface logic that come along with the components. These soft spots lead developers to introduce vulnerabilities when they make use of the open source components.
Fortify’s report analysed commonly used Java packages such as Spring, Struts, Hibernate and Tomcat, which are not stand-alone applications, but rather components that programmers use and combine in order to create their own applications. They are commonly used in the Java world by software vendors and enterprise software developers as essential building blocks for custom-built applications, especially web-based applications.
Despite the strong security demonstrated by these open source packages, Fortify cautions that they should not be viewed as completely safe. The report states that the sample code often included in these open source packages is likely to contain more vulnerabilities than the package itself. Since these code samples are often reused without scrutiny, developers can potentially create security holes when leveraging open source. In other cases, reviewed packages that did not contain issues exposed interfaces that are likely to lead programmers to write vulnerabilities.
As software is developed, it typically contains 20-30 security and quality defects for every thousand lines of code, according to Carnegie Mellon University’s CyLab Sustainable Computing Consortium. In comparison, Java Open Review analysed multiple open source projects and found, on average, a defect density of 0.07, which represents only .07 security and quality defects for every thousand lines of code. With the Open-Source Vulnerability Database estimating an increase in vulnerabilities reported of 20 percent from 2005 to 2006, securing code as early in the development process as possible is paramount.
The Java Open Review (JOR) Project was established in December 2006 to boost quality and security in open source software written in Java, one of the fastest growing programming languages used by open source software developers. Through the discovery and reporting of bugs and security vulnerabilities before they become major issues, JOR offers project owners a full analysis of their code so they can quickly act on the findings, while offering consumers a means to gauge the level of risk involved in various open source components. JOR is the only forum dedicated to finding issues in open source Java code.
JOR, which practices responsible disclosure, invites the open source software community to submit their Java software projects for a quality and security review. The efforts are being led by qualified volunteers using Fortify Source Code Analysis-the world’s most proven and widely used source code security analysis solution-and FindBugs, which has been downloaded nearly 350,000 times, is used by hundreds of leading global companies to pinpoint quality issues within Java code. More information is available at http://opensource.fortifysoftware.com.