Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007.

Published byBrook Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007."— Presentation transcript:

1 The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007

2 The Java Open Review Project Idea Improve open source reliability by finding bugs and security defects in widely used packages. http://opensource.fortifysoftware.com Benefits –Improve reliability of customer applications –Improve awareness among open source developers –Hugs/Kisses from marketing department –Feels right (we use open source too!)

3 How Java Open Review Works Bug finding powered by: –Fortify Source Code Analysis (aimed at security) –FindBugs (aimed at code quality) http://findbugs.sourceforge.net/ Turn down the dials –Find problems developers will respond to without any training Responsible disclosure –Work with open source developers to get specific bugs fixed –Disclose number of bugs to the general public, but not details

4 Interface (you can try it)

5 First 100 Days

6 Major findings –Developers respond to security problems –Good news: Java really is more reliable –Most common vulnerability: cross-site scripting –Bad news: sample code considered harmful

7 Finding: Java is More Reliable JOR average defects per thousand lines : 0.07 Typical C/C++ defects per thousand lines: 20 - 30

8 Most Common Vulnerability: Cross-Site Scripting Cross-site scripting is an easy mistake to make in Java: Cross-site scripting also #1 bug reported to CVE in 2006

9 Finding: Sample Code Considered Harmful Security problems more frequent in sample code. Open source developers let their guard down? Sample code used as basis for applications. Cannot be patched because code has been mutated!

10 brian@fortify.com

Download ppt "The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007."

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &

Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.
Static code check – Klocwork

Static code check – Klocwork
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Microsoft Research Faculty Summit 2008. Yuanyuan(YY) Zhou Associate Professor University of Illinois, Urbana-Champaign.

Microsoft Research Faculty Summit Yuanyuan(YY) Zhou Associate Professor University of Illinois, Urbana-Champaign.
Test Environments Arun Murugan – u4430411 Rohan Ahluwalia – u4358281 Shuchi Gauri – u4358305.

Test Environments Arun Murugan – u Rohan Ahluwalia – u Shuchi Gauri – u
It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.

It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.
Problem with Software Requirements are complex The client does not know the functional requirements in advance Requirements may be changing Technology.

Problem with Software Requirements are complex The client does not know the functional requirements in advance Requirements may be changing Technology.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
Security Metrics in Practice Development of a Security Metric System to Rate Enterprise Software Brian Chess Fredrick.

Security Metrics in Practice Development of a Security Metric System to Rate Enterprise Software Brian Chess Fredrick.
Open Source Workshop1 IBM Software Group Working with Apache Tuscany A Hands-On Workshop Luciano Resende Haleh.

Open Source Workshop1 IBM Software Group Working with Apache Tuscany A Hands-On Workshop Luciano Resende Haleh.
DEEPAK BHIMARAJU; EDWARD ALLEN TEST CHALLENGES IN THE CLOUD.

DEEPAK BHIMARAJU; EDWARD ALLEN TEST CHALLENGES IN THE CLOUD.
Programming and Application Packages

Programming and Application Packages
Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.

Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.
Presented By: Avijit Gupta V. SaiSantosh.

Presented By: Avijit Gupta V. SaiSantosh.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Similar presentations

Ads by Google