Information Security Bulletin

Jave Open Source Software to be Scrutinized

13 Dec 12:55

Fortify Software Inc., in partnership with FindBugs, has launched the Java Open Review (JOR) Project. The Project invites the open source software community to submit their Java software projects for a quality and security review.

The efforts are being led by qualified volunteers using Fortify Source Code Analysis (SCA), Fortify's source code security analysis solution, and FindBugs, a system that finds bugs in Java code.

The goal of the JOR Project is to boost the security and quality of open source software written in Java, one of the fastest growing programming languages used by open source software developers. Fortify and FindBugs are providing the review to help open source software project owners identify and fix quality and security errors quickly - before they affect the performance of the software or pose a security risk to users.

As part of the JOR Project, Fortify and FindBugs will provide a high-level overview of the review results to the larger community of open source software users. The overview of results will include the number of security and quality errors discovered and the errors per thousand lines of code. The leaders of the participating open source projects are provided login access in order to gain detailed information on the coding errors identified so they can fix problems quickly.

The project has kicked off with participation from 10 widely used open source projects that have already been reviewed for security vulnerabilities and quality bugs using Fortify SCA and FindBugs. One of the most common defects discovered in this initial effort is cross-site scripting, a security vulnerability that when exploited can result in the browser executing malicious code. The most common quality bug identified was the null pointer dereference, which can cause programmes to crash, or worse, lead to data corruption. The 10 projects that participated in the initial JOR Project report include: Azureus, Hyperic, Java Petstore 2.0, Lucene, Nutch, Solr, Tomcat, Webgoat, and Zimbra.

[Excellent initiative! Producers of closed source software again and again prove incapable of producing reasonably secure software, often despite well publicized and even well financed efforts. Many of the large software manufacturers simply keep schtumm when it comes to security problems in their products. The open source community, being open as part of its ethos, must be open in this respect also, and take every step to produce error-free software. This is a great step in that direction. --Ed].

Related links: (Open in a new window.)
opensource.fortifysoftware.com
www.fortifysoftware.com
findbugs.sourceforge.net

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe?

Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!