Java Security Traps Getting Worse

Updated: At JavaOne last year, Fortify's Brian Chess discussed how to avoid Java security holes. A year later, with even Sun's manuals containing code with cross-site scripting vulnerabilities, we're actually w

A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them."

A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.

It's gotten worse, Chess said in an interview with eWEEK, "and I've got evidence to prove it."

Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.

In that project, Fortify uses FindBugs, a static analysis tool that looks for bugs in Java code, to look over code in open-source projects such as Apache, Azureus and Tomcat. Fortify does an analysis on each inspected code set, publishes online how many issues it finds and then shares with project maintainers the vulnerability specifics.

What Fortify has found from running the project is that the defect density of open-source code is "astronomical," Chess said, pointing out one project in particular that Fortify has inspected over the past year: Net Trust, with an estimated 12.215 errors per 1,000 lines of code.

"That's huge for a project with 'trust' in its name," Chess said.

Ironically enough, Net Trust is a Google project to create a security mechanism for simple single sign-on and authentication. "But they were students doing not very good code," Chess said.

Read the full story on eWEEK.com: Java Security Traps Getting Worse