Today, Fortify released it's first-ever analysis of open source java code. In our report, we analyzed four well-known Java packages: Hibernate, Spring, Struts and Tomcat.
The good news: these packages are by and large safe. The bad news: Developers are prone to incorporate open source code in ways that lead to vulnerabilities in their own software.
In Hibernate, for instance, we found security holes in sample code. (Sample code is often used by developers to illustrate how to the open source application can be deployed in specific scenarios, such as exposing an API). Since sample code is often leveraged by developers in their code to save time, writing insecure code is as easy as Ctrl-C, Ctrl-V.
Another finding: cross-site scripting is the most common software problem found in open source Java code. (So long, buffer overflow.) Cross-site scripting vulnerabilities allow an attacker to run arbitrary JavaScript in a victim's Web browser, which can lead to theft of personal information, hijack of authentication credentials, or further attacks against computers on the victim's internal network. This is where open source and proprietary Java code actually intersect. According to OWASP, cross-site scripting was the most frequently reported type of vulnerability.
Our report also confirms the commonly held belief that Java, from a security standpoint, is a more reliable programming language than C and C++.
Our findings come from the Java Open Review (JOR), started in December 2006. JOR uses Fortify SCA to find security holes and FindBugs to pinpoint quality problems. We started JOR because our customers are using more and more open source Java and security is one of their biggest concerns
Check out the report by clicking here
