HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Java: The Language of Security

Fortify report claims that software written in Java is most secure

By Jeff Feinman

April 1, 2007 —

Software components written in Java are more secure than components written in other languages such as C, C++ or PHP, according to a report from Fortify Software.

The report was released through Fortify’s Java Open Review Project, a free initiative to help open source developers detect security vulnerabilities and bugs. The report states that on average, only .07 security and quality defects were found for every thousand lines of code in a review of multiple open source projects written in Java. By contrast, according to the report, non-Java based software being developed contains 20 to 30 security and quality defects for every thousand lines of code written.

Fortify claims that Java is the safest way of writing because of its conservative architecture, which doesn’t lend itself to memory vulnerabilities, such as buffer overflows. The Java memory manager ensures that parameters that are going into random access memory operations are in check, according to the company. Using a garbage collector to reclaim memory occupied by inaccessible objects can help to prevent such vulnerabilities.

“It kind of stops you from doing stupid mistakes,” said Barmak Meftah, vice president of products and services for Fortify. “C and C++ are fairly open languages, and so they’re very non-conservative in their approach to garbage collection and memory management. The majority of developers don’t necessarily think of security when they code, and so Java does a really good job of ensuring that you don’t make mistakes.”

However, analyst Jon Rymer of Forrester Research said he is not convinced that evaluating security-related features of languages is very useful. “I don’t believe it’s reasonable to say that any language is inherently more secure than any other language,” he said. “Languages are just products, and so subject to human error in their application. The last five or so years of hacker attacks, I think, say primarily that the various vulnerabilities of runtime environments—Web servers, databases, e-mail servers, desktop apps—are the real problems.”

Meftah, meanwhile, said that developers need to be held more accountable for keeping security in mind when writing code. He said that one software corporation that has adopted this approach is Microsoft with Trustworthy Computing, a memo sent out through the company in 2002 calling for more secure products.

“Bill Gates basically sent out a mandate to all the developers of the company saying, ‘Listen, you’re going to be educated on issues of security, and any vulnerabilities that are found in a piece of code that you write are not going to be tolerated at all,’” Meftah said.

Fortify is on the front lines of Java code analysis: The Java Open Review Project runs FindBugs, an open source project that uses static analysis to inspect Java code, and Fortify Source Code Analysis (SCA) against code to determine vulnerabilities. The Java Open Review Project reviewed Java software packages including JBoss’ query service Hibernate and the Spring Framework. The Apache Foundation’s Struts, which is used in developing Java EE Web applications, and Tomcat, which implements Java Servlet and JavaServer Pages, were also reviewed. Those Java packages are used widely by software developers in the creation of applications, according to Meftah.

Share this link: http://www.sdtimes.com/link/30419

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Application security, IBM style Jack Danahy, founder of Ounce Labs, discusses acquisitions by IBM and what he sees in the security space

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST