Enterprises incorporating open source Java software in applications should encourage their open source software maintainers to adopt more secure development practices, according to researchers at Fortify Software Inc., a maker of application security software.
The company found that known vulnerabilities in such popular projects as the Struts application framework, the Hibernate object-relational mapper, and the Geronimo application server need to be addressed. Specific secure software processes must be adopted to reliably uncover and fix such vulnerabilities, says Jacob West, manager of Fortify's security research group. Other projects scanned for the project include Hipergate, JBoss, Jonas, Derby, and Tomcat.
West discussed these issues as he disclosed results of the company's Java Open Review project. As part of that effort, Fortify scanned multiple versions of popular open source Java packages using Fortify's own static analyzer tool set.
"We found significant vulnerabilities in all the packages we looked at," said West. "Teams are failing in terms of the processes they have in place."
Overall, Fortify found cross-site scripting and SQL Injection vulnerabilities particularly challenge Java developers. Almost 40,000 such issues were discovered during the course of the Java Open Review project's work.
Those vulnerabilities are dangerous, too, according to West and Larry Suto, an independent software security consultant, in a sense that, as enterprise adoption of open source software has steadily increased, little has been done within the open source software community to implement enterprise-worthy application security measures. Putting secure processes in place is important, West said.
"They don't make the right security expertise available to users," he said. "There is an absence of a secure software lifecycle management process in place. And we found that most of these projects did not use automated tool technology for uncovering common things like cross-site scripting and SQL injection."
Consumers of open source software need to include open source software security analysis in their own processes, West added.
"We see leaders doing that today, particularly in the financial services sector," he said.
The Fortify effort is one of several seeking to better depict the open source software landscape. For its part, software tool house Coverity has used its base source code analysis tools as part of a U.S. Homeland Security Dept. effort to understand open source software vulnerability. A Coverity-run site also characterizes open source projects based on the progress each project makes in resolving defects.
In addition, issues regarding open-source Spring framework software security practices recently came to light. Ounce Labs' Advanced Research Team (ART) documented the following vulnerabilities: "ModelView Injection" and "Data Submission to Non-Editable Fields." These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application and providing access to any data, credentials or keys held in the application.