According to a recent article on SearchSoftwareQuality, researchers at Fortify Software conclude that Java is more secure than other languages, but they warn that developers may inadvertently be introducing vulnerabilities into their own code. From the article:

In a report from its Java Open Review (JOR) Project, which analyzed four commonly used Java packages -- Spring, Struts, Hibernate and Tomcat -- Fortify confirms a commonly held belief that software components written in Java are, in general, more secure than components written in languages such as C or C++. The project's analysis found two bugs in Hibernate, four in Spring, eight in Struts and 66 in Tomcat. Altogether, the estimated defect density for every thousand lines of code is .07. "A lot of the open source packages are shipped with code samples, and those code samples are not written very safely," said Barmak Meftah, vice president of products and services at Fortify. "The first concern is that developers use that sample code as is and evolve it into applications. The second is that they use the samples for education and train themselves using insecure examples."

What Fortify didn't say, however, is that the open source vendors don't encourage the use of that sample code. Plus, those vendors have their own easier mechanisms that are secure.

What Fortify didn't say, however, is that the open source vendors don't encourage the use of that sample code. Plus, those vendors have their own easier mechanisms that are secure.

...while open source projects don't always encourage the production use of the sample code, the reality is that many projects are using code with the most nasty example code. Many developers out there are rife with the clipboard inheritance (cut-and-paste) from code they see on the web. I've even seen shops where Sr devs are boosting code from nasty sites. For too many people, having something work at all is enough to get it in their project. Rails was meant as a prototyping framework, and besides the "dont put prototypes into production" that should happen, people push their protys out simply because they seem to do the dance. To many shops, there is no "properly" only "it works". I think the attitude that the post script of "the projects didn't intend for it to be used, so all karma is fully restored" seems a little off-base. But the point of the article is that the Java platform is secure, but evil happens after that... which I think that most people have to agree is absolutely true. And why would it surprise that bugs would creep into the complex frameworks we use?...

The title is a contradiction in terms. Java is 'secure' but Java developers are not? Well, C And PHP are 'secure', too. Just C and PHP developers are not! :-D

the open source vendors don't encourage the use of that sample code.

So, the purpose of sample code is that it shall be ignored?

Plus, those vendors have their own easier mechanisms that are secure.

But those 'easier mechanisms that are secure' are kept secret and the plain developer is fooled by misleading sample code?? Very strange article. Shouldn't have been posted here.

Haven't seen a buffer overflow vulnerability in Java yet...

http://www.jyog.com

I am developing many samples that I publish on my blog. However, the samples are meant to showcase specific functionality that often is not in the scope of security. So while the samples work for what I want them to show, I don't check them for security flaws (except the obvious ones). Developers can use the samples but should not blindly copy and paste what I provide but try to understand how it works before adding them to their production environment. So samples are good to use by the conscious developer. They bear risks if put to the hands of developers that consider copy-and-past a design pattern Frank