LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Java: The Language of Security


Fortify report claims that software written in Java is most secure

By Jeff Feinman
April 1, 2007 — 
Software components written in Java are more secure than components written in other languages such as C, C++ or PHP, according to a report from Fortify Software.

The report was released through Fortify’s Java Open Review Project, a free initiative to help open source developers detect security vulnerabilities and bugs. The report states that on average, only .07 security and quality defects were found for every thousand lines of code in a review of multiple open source projects written in Java. By contrast, according to the report, non-Java based software being developed contains 20 to 30 security and quality defects for every thousand lines of code written.

Fortify claims that Java is the safest way of writing because of its conservative architecture, which doesn’t lend itself to memory vulnerabilities, such as buffer overflows. The Java memory manager ensures that parameters that are going into random access memory operations are in check, according to the company. Using a garbage collector to reclaim memory occupied by inaccessible objects can help to prevent such vulnerabilities.

“It kind of stops you from doing stupid mistakes,” said Barmak Meftah, vice president of products and services for Fortify. “C and C++ are fairly open languages, and so they’re very non-conservative in their approach to garbage collection and memory management. The majority of developers don’t necessarily think of security when they code, and so Java does a really good job of ensuring that you don’t make mistakes.”

However, analyst Jon Rymer of Forrester Research said he is not convinced that evaluating security-related features of languages is very useful. “I don’t believe it’s reasonable to say that any language is inherently more secure than any other language,” he said. “Languages are just products, and so subject to human error in their application. The last five or so years of hacker attacks, I think, say primarily that the various vulnerabilities of runtime environments—Web servers, databases, e-mail servers, desktop apps—are the real problems.”

Meftah, meanwhile, said that developers need to be held more accountable for keeping security in mind when writing code. He said that one software corporation that has adopted this approach is Microsoft with Trustworthy Computing, a memo sent out through the company in 2002 calling for more secure products.

“Bill Gates basically sent out a mandate to all the developers of the company saying, ‘Listen, you’re going to be educated on issues of security, and any vulnerabilities that are found in a piece of code that you write are not going to be tolerated at all,’” Meftah said.

Fortify is on the front lines of Java code analysis: The Java Open Review Project runs FindBugs, an open source project that uses static analysis to inspect Java code, and Fortify Source Code Analysis (SCA) against code to determine vulnerabilities. The Java Open Review Project reviewed Java software packages including JBoss’ query service Hibernate and the Spring Framework. The Apache Foundation’s Struts, which is used in developing Java EE Web applications, and Tomcat, which implements Java Servlet and JavaServer Pages, were also reviewed. Those Java packages are used widely by software developers in the creation of applications, according to Meftah.


Share this link: http://www.sdtimes.com/link/30419
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading