The use of Java and Java software packages is increasing, and although Java has been found to be more secure than other languages, researchers at Fortify Software warn that developers may inadvertently be introducing vulnerabilities into their own code.
In a report from its Java Open Review (JOR) Project, which analyzed four commonly used Java packages -- Spring, Struts, JPA with Hibernate and embedded Tomcat -- Fortify confirms a commonly held belief that software components written in Java are, in general, more secure than components written in languages such as C or C++. The project's analysis found two bugs in Hibernate, four in Spring, eight in Struts and 66 in Tomcat. Altogether, the estimated defect density for every thousand lines of code is .07.
Fortify also said Java's reliability is due largely to two features of the language: type safety and memory safety. Because the Java compiler can enforce a stronger type safety policy, Java programmers find more of their own bugs when they compile their code. In addition, when Java programs run, the Java Virtual Machine ensures that fewer of the remaining bugs have catastrophic consequences.
The danger to Java programs, according to the report, comes from the sample code which does Java object serialization, that's often included in these open source packages, as they are likely to contain vulnerabilities.
"A lot of the open source packages are shipped with code samples, and those code samples are not written very safely," said Barmak Meftah, vice president of products and services at Fortify. "The first concern is that developers use that sample code as is and evolve it into applications. The second is that they use the samples for education and train themselves using insecure examples."
These code samples, Meftah said, are written inadvertently without security in mind. "A lot of developers also cut and paste the sample code, and that can result in bad things happening," he said.
The JOR report also revealed that while the packages themselves did not contain vulnerabilities, they did create situations that may lead programmers to write vulnerable code. For example, Hibernate contains a method named createSQLQuery() that accepts a single string parameter. Fortify says this interface promotes the introduction of SQL injection vulnerabilities by encouraging programmers to create SQL queries using string concatenation.
Joseph B. Ottinger, former editor of TheServerSide.com, said generally the report is correct. "But they're overemphasizing the existence of a few methods that are not encouraged by the library vendors," he said. "And honestly, even the sample programs are described as not being best practices. For example, the createSQLQuery code is definitely not what Hibernate developers would normally suggest using, because Hibernate has much, much easier mechanisms for that purpose that are secure."
Ottinger did agree that a big problem is programmers creating their own code based on those samples without being aware of security issues. "The greatest danger is when someone creates their own library code based on these libraries and doesn't know what security holes there are to avoid," he said. "For example, again using that code, someone might create a utility library to make Hibernate queries ''easier' (by avoiding Hibernate's own query mechanisms) and therefore introducing bugs."
Use of Java, open source software rising
These insecure development practices are even greater due to the fact that the use of Java and open source software is increasing, Fortify researchers say. According to Git searches and Google Directories, the total number of open source packages written in Java (3,469 packages) far exceeds any other language, and in fact, more than doubles the second most-used language, PHP (1,643 packages), and is used three times as often as C++ (929 packages).
"Use of open source application packages is on the rise, and security is a key concern for enterprise adoption and deployment," Dr. William Pugh, a professor at the University of Maryland who developed the FindBugs static analysis tool for Java, said in a statement. "What these scans [from Fortify] found and didn't find is important to understanding and improving the security of open source software."
Cross-site scripting vulnerabilities common
XSS, the most frequently reported type of vulnerability for 2006 in the Common Vulnerabilities and Exposures (CVE) database, can be prevented by validating the input parameters at both client-side and server-side before accepting the request and resuming the process on input parameters. The best way to prevent such an attack, however, is to consider security when building an application.
"Make security an inherent part of the development life cycle," Meftah said. "The more upper management emphasizes security, the more important it will become in the development life cycle."