Java open-source frameworks are a business risk: Study

Java open-source frameworks are a business risk: Study

Summary: Researchers at CAST have released a report that suggests CIOs cannot afford to be in the dark over programming and tool choices in IT.

TOPICS: Security
(Credit: Java)

According to CAST research labs, Java open-source frameworks are an intrinsically risky element when it comes to keeping a corporation's systems and data safe.

The CRASH--CAST Research on Application Software Health--report details which frameworks used in the enterprise scene are the most reliable, and which Java open-source frameworks are most likely to have a negative impact on businesses worldwide.

Reported by The Register, the CRASH report documents an analysis of 496 applications with 152 million lines of code submitted by 88 organizations, resulting in the discovery that most applications were poorly configured--thus resulting in a heightened security risk, and more bugs and flaws within an enterprise setup.

According to the firm, the most popular Java open source frameworks used today--Struts, JEE, Hibernate, and Spring--had high variability in scores for their usefulness and security features. CAST believes that in terms of quality, Hibernate reached the top spot, whereas applications built with Strut are of the lowest quality.

The security product developer stated that "applications that did not use any framework had a huge variance in quality," but on the other hand, apps with good quality ratings can be achieved without a framework--as long as merging different scripting languages is done in an intuitive way.

The research report said that application quality can be affected when multiple programming languages are integrated within a single system. The application analysis suggested that:

  • Applications built in pure JEE, with no frameworks or multi-lingual mingling, had the highest quality scores

  • Mixing Java with C or C++ lowers quality scores

  • Mixing Java with COBOL, Java-DB, and Microsoft .NET delivered higher quality scores.

So, what's the link? Understanding your framework. CAST saids that a "large majority of applications" have some level of misconfiguration, and so to make enterprise systems more efficient, either improving IT training or simplifying frameworks is required. Jay Sapiddi, vice president of CAST Research Labs said:

CIOs can no longer afford to be in the dark about their IT team's choice of programming language and tools, because those decisions have a material impact on the business.

With data from this CRASH study, CIOs can now have detailed conversations with their application development departments about the security and reliability of the specific framework they are using to build enterprise applications. Likewise, IT leaders should double check their choice of framework, how they mix languages, and how they enforce architectural integrity. Frameworks boost developer productivity, but they can also heighten risk and reduce quality.

The security firm believes that this information, coupled with a more hands-on approach by chief information officers, could help improve both the security and reliability of enterprise applications. In today's modern, technology-dependent setting, downtime can not only impact the reputation of a firm and lead to confidential data being stolen by cyberattackers, but the modern consumer now expects online company resources to be consistently available.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Any open source framework

    Should be fully understood and sanctioned by IT governance before use in enterprise development, regardless of the development platform.
    • But realistically

      Realistically, IT governance are not going to 'fully understand' every framework - open source or proprietary, as they won't have the skills to make any such evaluation.

      The best you can do is go on past reputation - which isn't always a reliable guide. Or you can pay one of the big management consultancies, who - in my experience - often lack any real-world systems development experience.

      And if no framework is used, then governance will need to ensure that internally written SOAP-XML parser doesn't replicate exactly the same problems the framework approach has had.

      There isn't even any particular advantage to using a framework from IBM, Oracle or Microsoft as they won't offer any guarantee of quality, or indemnity against losses incurred through poor security.

      Best advice - pay for a proper security audit by a professional firm - and don't worry about hypothetical problems.
      • Any tool should be properly used

        Else there will be problems. More risky is when you pay for a paid framework, assume it is very secure, and use a bad configuration. Few few training emphasizes on security and that is why most of the developers are unaware about it. Also time is not given to implement secure practices.
        The security audit be a qualified vendor is the only way to test of vulnerabilities.
        P.S. The recent fiasco with the Java browser plugin shows that any thing can be less secure. Also Windows is a paid software.
  • Close Source Frameworks

    Aren't any less, if not more, risky. Let's say "using frameworks in your applications is a risky business". So, write everything by yourself and have an army of security experts to verify it. A stupid proposition. But no less idiotic than the CAST report
    • Which frameworks did they evaluate?

      "The report documents an analysis of 496 applications with 152 million lines of code submitted by 88 organizations..."

      Which frameworks were these? Did they inspect the source code of proprietary closed frameworks as well? If not, how can they state that the open ones are more risky than the closed? Makes me ask who funded this report...
      • The less sinister reading

        The less sinister reading is that they couldn't analyse closed-source frameworks as they are closed source (even when source is available to clients, the license typically prevents you from commenting publicly on it).

        The big thing I'm wondering about is how you can compare Hibernate with Struts - they're two fundamentally different projects. By definition a web-facing framework is going to have more security issues, as it accepts inbound requests from third-parties, whereas Hibernate is about talking downwards (and of course adds some level of security by preventing some poor SQL practices).
      • Seems applications were evaluated

        Not frameworks. Also to find a project with paid framework like ATG is a bit tough, that is the number of applications with free framework is too high, and with that comes more bad devs. Most of the paid frameworks need expensive training where good knowledge of how to use it is given. Open framework like Spring and Hibernate are mostly picked up by tutorials.
  • FUD

    Why this guys and this gal is spreading FUD?

    Problem is not in the frameworks, problem in badly crafted and badly configured applications.

    Who paid that study? MS? Oracle? Some commercial framework maker?
    • mierda,merde,onzin,paska,حماقة

      What does this prove? It proves I can write crap in any language (thanks to Google Translate for the above translations of "crap".

      I always seem to here programers (I'm not one) touting their favored platforms, languages, frameworks etc as if they were some magic bullet that will solve all of my problems. Fact is I think all of those things are far less important from an IT manger's standpoint than it is to have quality processes that result in quality code. Crap in java is just as bad as crap in .Net while the reverse is also true.
      • Most important skill is

        To write good code. The language is only a tool that allows ideas to be converted to machine language or something near it.
  • The "journalist" who wrote this article

    What in Charlie Osborne's background qualifies her to write this article? The medical anthropology, the graphic design, or the fact she was a former teacher?

    Please. Don't compromise the integrity of ZDNet with this kind of stuff.
    • What integrity?

    • integrity??

      Hi :)
      Lol, does ZdNet claim to have any integrity?!!? I think most people could point to pretty much any article by Ed Bott or quite a few others here. THe aim is to stir up arguments and outrageous posts. The internet and social networking are killing responsible journalism and integrity but that's the way people like it. This lady has printed many fine articles that got completely ignored so it seems especially unfair to pick on her when others are doing much worse and doing it because we seem to like it.
      Regards from
      Tom :)
      • Well said

        And the worst part about it is that there are corporate sponsors guiding them all the way. Impartiality went out the window when people stopped paying for news. News people gotta eat too! You get what you pay for.
    • Because

      1. She's hot
      2. She's didn't write the article. It was from The Register (as she noted).
      3. If you don't like it, don't read it
  • Who paid for the report

    Hi :)
    Reports often seem to favour whoever paid for the study to be conducted. So, who paid for or funded the report?

    It's an interesting choice of timing to release a report on this. "Java" is widely being condemned at the moment. While this is a different type of Java one of the main links to "related stories" is titled "Security experts on Java: Fixing zero-day exploit could take 'two years'". So it sounds like the issue of what type of company created the java-based thing is completely irrelevant against the larger problem of using java at all!!

    Regards from
    Tom :)
    • Exactly my thought.

      Build the strongest building on a weak foundation, and a earthquake of 4 to 5 will break it. And Java 7 is closer to closed source then 7. Java 6 also had many security issues, but they were resolved very quickly.
  • How much did M$ pay CRASH for this report?

    That is my main question, plus how much more did they pay Charlie to repeat this "research" in an article in order to legitimize it? You can't convince me that any other environment is better at guaranteeing application quality or stability. These issues end up being dependent on the application designer/architect and how the application gets built and how many corners are cut or standard best practices are ignored plus the actual requirements the application has to conform to. This "research" seems to be highly biased to me and the article reporting on it as well.
    • Why would Microsoft pay for this?

      What benefit is it to them?
      Michael Alan Goff
      • Competitor

        Java is Dot Net's major competitor. Microsoft has never hesitated to 'poison the well' for a competitor by purchasing a critical study of that competitor's product.

        That said, there is no information that I have seen that Microsoft is involved in this. It may just be a fishing expedition for new business by the releasing entity. We don't know.

        What we do know is that Oracle doesn't appear to be in any hurry to improve Java security. However, it remains true that ANY programming environment that is capable of receiving an executable input and/or storing it is a potential security breach. The only real protection is in the vigilance of the programmer/user.