Java open-source frameworks are a business risk: Study

Summary:Researchers at CAST have released a report that suggests CIOs cannot afford to be in the dark over programming and tool choices in IT.

java-orangebox
(Credit: Java)

According to CAST research labs, Java open-source frameworks are an intrinsically risky element when it comes to keeping a corporation's systems and data safe.

The CRASH--CAST Research on Application Software Health--report details which frameworks used in the enterprise scene are the most reliable, and which Java open-source frameworks are most likely to have a negative impact on businesses worldwide.

Reported by The Register, the CRASH report documents an analysis of 496 applications with 152 million lines of code submitted by 88 organizations, resulting in the discovery that most applications were poorly configured--thus resulting in a heightened security risk, and more bugs and flaws within an enterprise setup.

According to the firm, the most popular Java open source frameworks used today--Struts, JEE, Hibernate, and Spring--had high variability in scores for their usefulness and security features. CAST believes that in terms of quality, Hibernate reached the top spot, whereas applications built with Strut are of the lowest quality.

The security product developer stated that "applications that did not use any framework had a huge variance in quality," but on the other hand, apps with good quality ratings can be achieved without a framework--as long as merging different scripting languages is done in an intuitive way.

The research report said that application quality can be affected when multiple programming languages are integrated within a single system. The application analysis suggested that:

  • Applications built in pure JEE, with no frameworks or multi-lingual mingling, had the highest quality scores

  • Mixing Java with C or C++ lowers quality scores

  • Mixing Java with COBOL, Java-DB, and Microsoft .NET delivered higher quality scores.

So, what's the link? Understanding your framework. CAST saids that a "large majority of applications" have some level of misconfiguration, and so to make enterprise systems more efficient, either improving IT training or simplifying frameworks is required. Jay Sapiddi, vice president of CAST Research Labs said:

CIOs can no longer afford to be in the dark about their IT team's choice of programming language and tools, because those decisions have a material impact on the business.

With data from this CRASH study, CIOs can now have detailed conversations with their application development departments about the security and reliability of the specific framework they are using to build enterprise applications. Likewise, IT leaders should double check their choice of framework, how they mix languages, and how they enforce architectural integrity. Frameworks boost developer productivity, but they can also heighten risk and reduce quality.

The security firm believes that this information, coupled with a more hands-on approach by chief information officers, could help improve both the security and reliability of enterprise applications. In today's modern, technology-dependent setting, downtime can not only impact the reputation of a firm and lead to confidential data being stolen by cyberattackers, but the modern consumer now expects online company resources to be consistently available.

Topics: Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.