The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007
The Java Open Review Project Idea Improve open source reliability by finding bugs and security defects in widely used packages. Benefits –Improve reliability of customer applications –Improve awareness among open source developers –Hugs/Kisses from marketing department –Feels right (we use open source too!)
How Java Open Review Works Bug finding powered by: –Fortify Source Code Analysis (aimed at security) –FindBugs (aimed at code quality) Turn down the dials –Find problems developers will respond to without any training Responsible disclosure –Work with open source developers to get specific bugs fixed –Disclose number of bugs to the general public, but not details
Interface (you can try it)
First 100 Days
Major findings –Developers respond to security problems –Good news: Java really is more reliable –Most common vulnerability: cross-site scripting –Bad news: sample code considered harmful
Finding: Java is More Reliable JOR average defects per thousand lines : 0.07 Typical C/C++ defects per thousand lines:
Most Common Vulnerability: Cross-Site Scripting Cross-site scripting is an easy mistake to make in Java: Cross-site scripting also #1 bug reported to CVE in 2006
Finding: Sample Code Considered Harmful Security problems more frequent in sample code. Open source developers let their guard down? Sample code used as basis for applications. Cannot be patched because code has been mutated!