Research finds Java code most secure

New research from software security specialist Fortify reveals that bugs are far less common in Java compared with commercial C/C++ code

Application code security specialist Fortify Software will today unveil research from its Java Open Review (JOR) showing that there are "significantly fewer bugs in open-source Java components than in commercial C/C++ programs". Fortify founder Roger Thornton said that the difference was "an order of magnitude fewer".

Another key finding is that the most common application vulnerability is cross-site scripting, whereby web applications are vulnerable to malicious code injected into web pages being viewed by users. Execution of the injected code forms the basis of phishing and “pharming” attacks.

Thornton said connectivity with partners and suppliers, legacy application integration, web-facing applications, and outsourcing are “invalidating firms’ traditional security strategy”.

Both Gartner and the US National Institute of Standards and Technology produced reports in 2005 that fingered software flaws as the root cause of security problems. Thornton said the situation hadn't changed yet, but added that leading enterprises like banks and finance houses are addressing these problems and that Fortify is working with hundreds of them to establish secure [code] development initiatives.

"The drivers behind these initiatives are impact on their brand, the fact that customers and partners are attempting similar strategies and also regulatory requirements," added Thornton.

Asked whether it was the infrastructure systems like switches and routers that are causing the problem, Thornton said that, "From our experience, the infrastructure companies are taking this very seriously and the bulk of the problems occur at the higher [application] layers."

Thornton also cast doubt over the widespread view that operating systems are the main source of flaws, pointing out that recent data from the US National Institute of Standards and Technology showed that only 15 percent of flaws could actually be attributed to OS defects.