Free service checks Java code for security bugs

Fortify Software Inc. and the FindBugs project have launched a free service that will scan open-source Java software for bugs in the code.

The Java Open Review project (JOR) lets open-source projects run audits of their source code using Fortify’s source code analysis software and the University of Maryland’s FindBugs tool.

With developers focusing on more secure software development practices, the Java community needs more advanced bug-finding tools like JOR, said Barmak Meftah, vice president of product and services, with Fortify. “Everybody understands that the cheapest and easiest point to find and fix security bugs is at the time of implementation,” he said.

Open-source developers will now get the benefit of Fortify’s Source Code Analysis software, which is already used by commercial vendors such as Oracle Corp. and Adobe Systems Inc. But the free JOR analysis is not as detailed as one done by Fortify’s commercial product.

Fortify Source Code Analysis can find more than 120 categories of software security problems, Meftah said. The JOR analysis will detail about 40 categories, covering “the most egregious types of security vulnerabilities and the types that developers tend to understand most readily,” he said.

The details of the free source code analysis will be made available only to project contributors so that JOR cannot be used as a hacking tool, Meftah added.

JOR has been working with a handful of open-source projects over the past six weeks and has discovered hundreds of bugs in applications like Tomcat, Zimbra and Java Pet Store. On Monday, the service will be opened up to any Java open-source projects that want to use it, Meftah said.

Sun Microsystems Inc. already uses FindBugs for its GlassFish open-source application server software, said Geoff Halliwell, a manager of application server quality engineering with Sun.

Though Sun has no immediate plans to audit its application server code with JOR, Halliwell said he would “certainly look at it.”

“In my business, we’re always looking to improve,” he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now