Fortify, a provider of software security products, in partnership with FindBugs, the open source Java error detection project, has launched the Java Open Review (JOR) Project. The JOR Project, invites the open source software community to submit their Java software... |
Fortify, a provider of software security products, in partnership with FindBugs, the open source Java error detection project, has launched the Java Open Review (JOR) Project. The JOR Project, invites the open source software community to submit their Java software projects for a quality and security review. Qualified volunteers using Fortify Source Code Analysis (SCA) are leading the efforts.
The goal of the JOR Project is to boost the security and quality of open source software written in Java, one of the languages used by open source software developers. Fortify and FindBugs are providing the review to help open source software project owners identify and fix quality and security errors—before they affect the performance of the software or pose a security risk to users, the companies stated.
"As software becomes increasingly intricate, FindBugs and Fortify Software want to provide open source developers automated tools to help find defects in complex code bases as well as defend against hackers," said Dr. Brian Chess, Chief Scientist at Fortify Software. "No one is helping the Java open source community and we want to fix that."
As part of the JOR Project, Fortify and FindBugs will provide an overview of the review results to the larger community of open source software users. The overview of results will include the number of security and quality errors discovered and the errors per thousand lines of code. The leaders of the participating open source projects are provided login access in order to gain detailed information on the coding errors identified so they can fix problems, officials at both the companies said.
The project has kicked off with participation from ten open source projects that have already been reviewed for security vulnerabilities and quality bugs using Fortify SCA and FindBugs. One of the most common defects discovered in this initial effort is cross-site scripting, a security vulnerability that when exploited can result in the browser executing malicious code. The most common quality bug identified was the null pointer dereference, which can cause programs to crash, or worse, lead to data corruption. The ten projects that participated in the initial JOR Project report include—Azureus, Hyperic, Java Petstore 2.0, Lucene, Nutch, Solr, Tomcat, Webgoat, and Zimbra.
"Regardless of how talented and meticulous a developer is, bugs and security vulnerabilities will be found in any body of code—open source or commercial," said Josh Bloch, Chief Java Architect at Google.
Fortify and FindBugs first teamed up in May 2006 to provide Java developers with a one-stop solution to improve both software quality and security, and now FindBugs is fully integrated with Fortify SCA 4.0, the company stated.
"With our further collaboration on the JOR Project, we aim to bring together and collaborate with Java open source software developers interested in testing and improving the security and quality of a wide range of projects," said Dr. Bill Pugh, professor of computer science at University of Maryland.
|
