News Stay informed about the latest enterprise technology news and product updates.

Security vulnerabilities found in open source Java projects

Fortify's Java Open Review researchers say the increasingly popular open source software projects such as Struts, Hibernate, and Geronimo have vulnerabilities that need fixing. Processes, too, are needed to ensure enterprise applications are safe.

Enterprises incorporating open source Java software in applications should encourage their open source software maintainers to adopt more secure development practices, according to researchers at Fortify Software Inc., a maker of application security software.

We found significant vulnerabilities in all the packages we looked at. Teams are failing in terms of the processes they have in place.
Jacob West
Manager of Fortify's security research group

The company found that known vulnerabilities in such popular projects as the Struts application framework, the Hibernate object-relational mapper, and the Geronimo application server need to be addressed. Specific secure software processes must be adopted to reliably uncover and fix such vulnerabilities, says Jacob West, manager of Fortify's security research group. Other projects scanned for the project include Hipergate, JBoss, Jonas, Derby, and Tomcat.

West discussed these issues as he disclosed results of the company's Java Open Review project. As part of that effort, Fortify scanned multiple versions of popular open source Java packages using Fortify's own static analyzer tool set.

"We found significant vulnerabilities in all the packages we looked at," said West. "Teams are failing in terms of the processes they have in place."

Overall, Fortify found cross-site scripting and SQL Injection vulnerabilities particularly challenge Java developers. Almost 40,000 such issues were discovered during the course of the Java Open Review project's work.

Those vulnerabilities are dangerous, too, according to West and Larry Suto, an independent software security consultant, in a sense that, as enterprise adoption of open source software has steadily increased, little has been done within the open source software community to implement enterprise-worthy application security measures. Putting secure processes in place is important, West said.

"They don't make the right security expertise available to users," he said. "There is an absence of a secure software lifecycle management process in place. And we found that most of these projects did not use automated tool technology for uncovering common things like cross-site scripting and SQL injection."

Consumers of open source software need to include open source software security analysis in their own processes, West added.

"We see leaders doing that today, particularly in the financial services sector," he said.

The Fortify effort is one of several seeking to better depict the open source software landscape. For its part, software tool house Coverity has used its base source code analysis tools as part of a U.S. Homeland Security Dept. effort to understand open source software vulnerability. A Coverity-run site also characterizes open source projects based on the progress each project makes in resolving defects.

In addition, issues regarding open-source Spring framework software security practices recently came to light. Ounce Labs' Advanced Research Team (ART) documented the following vulnerabilities: "ModelView Injection" and "Data Submission to Non-Editable Fields." These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application and providing access to any data, credentials or keys held in the application.

Dig Deeper on Software Security Test Best Practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Security vulnerabilities are found all over the place.  Be it pown2own or those bug bounty programs or through these sorts of security sweeps.  What I would like to know is if a particular project appears to have a good or bad track record in designing and patching security flaws as they are discovered.  The other issue is that we as developers treat open source as 'free' yet we also demand support and development practices equal to or better than paid solutions.  It seems like we need to actually support or contribute to efforts if we are to expect them to be at such high standards.