TheServerSide.com sister site SearchSoftwareQuality.com reports that security software vendor Fortify Software claims that a wide variety of vulnerabilities in projects such as Struts, Hibernate, and Geronimo. You can argue that Fortify has ulterior motives in making such an announcement, but the substance of it is easily verifiable. And in many cases, FOSS doesn't necessarily perform the validations and checks needed for enterprise use. Is it a community responsibility, or the enterprise developer? Read more at http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1323351,00.html.
- Posted by: Peter Varhol
- Posted on: August 04 2008 16:46 EDT
- Where? by Roy Russo on August 05 2008 09:44 EDT
- Re: Security vulnerabilities found in open source Java projects by Rich Sharples on August 06 2008 11:26 EDT
- Security vulnerabilities found in open source Java projects by Ethan Allen on August 06 2008 17:48 EDT
Their "Open Review" page shows Hibernate with 1 defect (https://opensource.fortify.com/teamserver/welcome.fhtml;jsessionid=BAB2DAF36537320493EDF7ED1A9ECD8D). I can't find geronicaca on that list, and struts has 0 defects. Why is this here?
Why is this here?Sometimes I wonder if I would not be better stop reading this website. The quality is constantly decreasing. I am spending more time on Javalobby already.
I agree that the article lacks content and is about a company trying to create interest into to their products. But these kind of articles are the ones we will be confronted with when justifying / explaining technology choices. I'm for one am grateful that the post has made me aware of the article.
Why is this here?
Sometimes I wonder if I would not be better stop reading this website. The quality is constantly decreasing.
I am spending more time on Javalobby already.
Thanks for the news about the new site... I'll also check it out. I also notice the same issue here.
Even if you wanted to check out the (so-called) problems with a project doesn't seem possible to get a Fortify account. Clicking the "Request an Account" link just goes to a logon screen.
Aside from the obvious product plug; it's not a great report. They seem to be slamming OSS merely because it is transparent - not because it has more defects. Oh the irony. More here : http://blog.softwhere.org/archives/260 Rich Sharples JBoss, A Division of Red Hat
No kidding - you sure? Around my shop we use software with no security vulnerabilities exclusively. Don't want any of those.