The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007.

Slides:

Advertisements

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

Advertisements

Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Static code check – Klocwork

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Microsoft Research Faculty Summit Yuanyuan(YY) Zhou Associate Professor University of Illinois, Urbana-Champaign.

Test Environments Arun Murugan – u Rohan Ahluwalia – u Shuchi Gauri – u

It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.

Problem with Software Requirements are complex The client does not know the functional requirements in advance Requirements may be changing Technology.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

Security Metrics in Practice Development of a Security Metric System to Rate Enterprise Software Brian Chess Fredrick.

Open Source Workshop1 IBM Software Group Working with Apache Tuscany A Hands-On Workshop Luciano Resende Haleh.

DEEPAK BHIMARAJU; EDWARD ALLEN TEST CHALLENGES IN THE CLOUD.

Programming and Application Packages

Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.

Presented By: Avijit Gupta V. SaiSantosh.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

May 2, 2007St. Cloud State University Software Security.

© FPT Software Code Review with VS © FPT Software Agenda What is Code review? Run Code analysis in VS 2012 Configuring Code Analysis rule set.

Security of Open Source Web Applications Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements:

The psychology of testing.  The mindset to be used while testing and reviewing is different to that used while developing software.  With the right.

Name: Ryan Lugg Form: 10B . How can businesses make use of . (P) can be a very useful tool, it can be very cost effective and efficient.

ERP. What is ERP?  ERP stands for: Enterprise Resource Planning systems  This is what it does: attempts to integrate all data and processes of an organization.

Research Methods in Sociology A great start to your great projects!

Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.

Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.

16 October Reminder Types of Testing: Purpose  Functional testing  Usability testing  Conformance testing  Performance testing  Acceptance.

How long does the average American use a new car before buying a new one? 5 years.

Introduction to Software Software. Types of software Click on each type of software to find out what it does.

1 © 2001, Cisco Systems, Inc. All rights reserved. SOFTWARE APPLICATION SERVICES and UPGRADES Maintenance for your Cisco Software.

CHAPTER 15 Reporting Security Problems. INTRODUCTION There are two choices that can be made when you find a security problem in some software, hardware.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.

Open Source Options Steve Duthie – MT Department of Labor John Pearce – OR Employment Department By PresenterMedia.comPresenterMedia.com.

22-January-2003cse FunctionalSpecs © 2003 University of Washington1 Functional Specs CSE 403, Winter 2003 Software Engineering

Code Reviews James Walden Northern Kentucky University.

Software Life-Cycle and Models

What Have we Learned: Return-on- Investment from the SW-CMM Khaled El Emam v

It’s tough out there … Software delivery challenges.

Testing Method For Web Application System By Fang Xuefen SRA Key Technology Lab. Inc. Tokyo, Japan.

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

DnD vs Labview. How Dnd can substitute Labview in LHC control system, what needs to be done. Timofei B. Bolshakov, James F. Patrick.

Static Analysis Introduction Emerson Murphy-Hill.

OPeNDAP Development and Security Policies. Development Policies All of our software uses LGPL or GPL –LGPL is used by most of the code –We want it to.

Why the need for an operating system? ● Managing the computer's memory ● Managing the hardware ● Providing a user interface.

Apple’s Swift Technology Could Help Android Development For Health Apps.

Static Analysis Tools Emerson Murphy-Hill. A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves.

Meme Software provides software for developing websites in a self service mode and personal use. Meme Software provides the best and funny Meme PHP Scripts.

Use Live Chat Software As An Effective Customer Support Tool.

MLM software - MLM Software Company (phpscriptsmall)

MLM Software Company, MLM Software Demo, Multi level Marketing Software

Overview of E-Learning Authoring Software

Leverage your Business with Selenium Automation Testing

Testing More In CS430.

The Development Process of Web Applications

Symantec Code Signing Certificate

Hierarchical Architecture

COINJOKER Bitcoin Exchange Script & Solutions. Bitcoin Exchange Script? Bitcoin Exchange Script is a complete source code embedded with fully functionalities.

Improving software quality using Visual Studio 11 C++ Code Analysis

Figure 6-4: Installation and Patching

Gene Expression vs. Mutations

How to fix Juno Error code 49? Dial: +1(844)

White Box testing & Inspections

Work Plan For 6LoWPAN Platform

Presentation transcript:

The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007

The Java Open Review Project Idea Improve open source reliability by finding bugs and security defects in widely used packages. Benefits –Improve reliability of customer applications –Improve awareness among open source developers –Hugs/Kisses from marketing department –Feels right (we use open source too!)

How Java Open Review Works Bug finding powered by: –Fortify Source Code Analysis (aimed at security) –FindBugs (aimed at code quality) Turn down the dials –Find problems developers will respond to without any training Responsible disclosure –Work with open source developers to get specific bugs fixed –Disclose number of bugs to the general public, but not details

Interface (you can try it)

First 100 Days

Major findings –Developers respond to security problems –Good news: Java really is more reliable –Most common vulnerability: cross-site scripting –Bad news: sample code considered harmful

Finding: Java is More Reliable JOR average defects per thousand lines : 0.07 Typical C/C++ defects per thousand lines:

Most Common Vulnerability: Cross-Site Scripting Cross-site scripting is an easy mistake to make in Java: Cross-site scripting also #1 bug reported to CVE in 2006

Finding: Sample Code Considered Harmful Security problems more frequent in sample code. Open source developers let their guard down? Sample code used as basis for applications. Cannot be patched because code has been mutated!