Java Security Traps Getting Worse 2

By Lisa Vaas  |  Posted 2007-05-09 Email Print this article Print
 
 
 
 
 
 
 

WEBINAR: On-Demand

Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >

Updated: At JavaOne last year, Fortify's Brian Chess discussed how to avoid Java security holes. A year later, with even Sun's manuals containing code with cross-site scripting vulnerabilities, we're actually w

A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them."

A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.

It's gotten worse, Chess said in an interview with eWEEK, "and I've got evidence to prove it."

Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.

In that project, Fortify uses FindBugs, a static analysis tool that looks for bugs in Java code, to look over code in open-source projects such as Apache, Azureus and Tomcat. Fortify does an analysis on each inspected code set, publishes online how many issues it finds and then shares with project maintainers the vulnerability specifics.

What Fortify has found from running the project is that the defect density of open-source code is "astronomical," Chess said, pointing out one project in particular that Fortify has inspected over the past year: Net Trust, with an estimated 12.215 errors per 1,000 lines of code.

"That's huge for a project with 'trust' in its name," Chess said.

Ironically enough, Net Trust is a Google project to create a security mechanism for simple single sign-on and authentication. "But they were students doing not very good code," Chess said.

Net Trust is one of many examples that demonstrate that Java security traps, although known for some time, are snaring more programmers all the time as use of the language grows.

Java expert William Pugh agrees with Chess when it comes to Java security traps getting worse. "XSS is getting to be a very big issue," he said in an interview with eWEEK. "Tools like Fortify's tool set will look for problems with XSS, but it's not easy to cleanse your code of any XSS [vulnerabilities]. The statistics we've seen is that this is on its way to becoming the biggest vulnerability" in Java applications, if not in all Web attacks, he said.

Pugh is a professor in the department of Computer Science at the University of Maryland in College Park, as well as being the author of the FindBug tool that Fortify has used in the Java Open Review project.

Beyond XSS, Pugh said that the two issues people most talk about when they talk security in Java are typically untrusted malicious code and SQL injection. "In a case where you're running applets … [the question is,] what can those applets do? Can they change the behavior of the program you're running in any way?"

"People running stuff on servers, they don't run untrusted code," he said. "[But] another type of security vulnerability that's of much bigger concern is SQL injection. … Those are all continuing to be big issues."

Read the full story on eWEEK.com: Java Security Traps Getting Worse



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 



















 
 
 
 
 
 

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters