Java open-source frameworks are a business risk: Study
Summary: Researchers at CAST have released a report that suggests CIOs cannot afford to be in the dark over programming and tool choices in IT.
According to CAST research labs, Java open-source frameworks are an intrinsically risky element when it comes to keeping a corporation's systems and data safe.
The CRASH--CAST Research on Application Software Health--report details which frameworks used in the enterprise scene are the most reliable, and which Java open-source frameworks are most likely to have a negative impact on businesses worldwide.
Reported by The Register, the CRASH report documents an analysis of 496 applications with 152 million lines of code submitted by 88 organizations, resulting in the discovery that most applications were poorly configured--thus resulting in a heightened security risk, and more bugs and flaws within an enterprise setup.
According to the firm, the most popular Java open source frameworks used today--Struts, JEE, Hibernate, and Spring--had high variability in scores for their usefulness and security features. CAST believes that in terms of quality, Hibernate reached the top spot, whereas applications built with Strut are of the lowest quality.
The security product developer stated that "applications that did not use any framework had a huge variance in quality," but on the other hand, apps with good quality ratings can be achieved without a framework--as long as merging different scripting languages is done in an intuitive way.
The research report said that application quality can be affected when multiple programming languages are integrated within a single system. The application analysis suggested that:
-
Applications built in pure JEE, with no frameworks or multi-lingual mingling, had the highest quality scores
-
Mixing Java with C or C++ lowers quality scores
-
Mixing Java with COBOL, Java-DB, and Microsoft .NET delivered higher quality scores.
So, what's the link? Understanding your framework. CAST saids that a "large majority of applications" have some level of misconfiguration, and so to make enterprise systems more efficient, either improving IT training or simplifying frameworks is required. Jay Sapiddi, vice president of CAST Research Labs said:
CIOs can no longer afford to be in the dark about their IT team's choice of programming language and tools, because those decisions have a material impact on the business.
With data from this CRASH study, CIOs can now have detailed conversations with their application development departments about the security and reliability of the specific framework they are using to build enterprise applications. Likewise, IT leaders should double check their choice of framework, how they mix languages, and how they enforce architectural integrity. Frameworks boost developer productivity, but they can also heighten risk and reduce quality.
The security firm believes that this information, coupled with a more hands-on approach by chief information officers, could help improve both the security and reliability of enterprise applications. In today's modern, technology-dependent setting, downtime can not only impact the reputation of a firm and lead to confidential data being stolen by cyberattackers, but the modern consumer now expects online company resources to be consistently available.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Any open source framework
But realistically
The best you can do is go on past reputation - which isn't always a reliable guide. Or you can pay one of the big management consultancies, who - in my experience - often lack any real-world systems development experience.
And if no framework is used, then governance will need to ensure that internally written SOAP-XML parser doesn't replicate exactly the same problems the framework approach has had.
There isn't even any particular advantage to using a framework from IBM, Oracle or Microsoft as they won't offer any guarantee of quality, or indemnity against losses incurred through poor security.
Best advice - pay for a proper security audit by a professional firm - and don't worry about hypothetical problems.
Any tool should be properly used
The security audit be a qualified vendor is the only way to test of vulnerabilities.
P.S. The recent fiasco with the Java browser plugin shows that any thing can be less secure. Also Windows is a paid software.
Close Source Frameworks
Which frameworks did they evaluate?
Which frameworks were these? Did they inspect the source code of proprietary closed frameworks as well? If not, how can they state that the open ones are more risky than the closed? Makes me ask who funded this report...
The less sinister reading
The big thing I'm wondering about is how you can compare Hibernate with Struts - they're two fundamentally different projects. By definition a web-facing framework is going to have more security issues, as it accepts inbound requests from third-parties, whereas Hibernate is about talking downwards (and of course adds some level of security by preventing some poor SQL practices).
Seems applications were evaluated
FUD
Problem is not in the frameworks, problem in badly crafted and badly configured applications.
Who paid that study? MS? Oracle? Some commercial framework maker?
mierda,merde,onzin,paska,حماقة
I always seem to here programers (I'm not one) touting their favored platforms, languages, frameworks etc as if they were some magic bullet that will solve all of my problems. Fact is I think all of those things are far less important from an IT manger's standpoint than it is to have quality processes that result in quality code. Crap in java is just as bad as crap in .Net while the reverse is also true.
Most important skill is
The "journalist" who wrote this article
Please. Don't compromise the integrity of ZDNet with this kind of stuff.
What integrity?
integrity??
Lol, does ZdNet claim to have any integrity?!!? I think most people could point to pretty much any article by Ed Bott or quite a few others here. THe aim is to stir up arguments and outrageous posts. The internet and social networking are killing responsible journalism and integrity but that's the way people like it. This lady has printed many fine articles that got completely ignored so it seems especially unfair to pick on her when others are doing much worse and doing it because we seem to like it.
Regards from
Tom :)
Well said
Because
2. She's didn't write the article. It was from The Register (as she noted).
3. If you don't like it, don't read it
Who paid for the report
Reports often seem to favour whoever paid for the study to be conducted. So, who paid for or funded the report?
It's an interesting choice of timing to release a report on this. "Java" is widely being condemned at the moment. While this is a different type of Java one of the main links to "related stories" is titled "Security experts on Java: Fixing zero-day exploit could take 'two years'". So it sounds like the issue of what type of company created the java-based thing is completely irrelevant against the larger problem of using java at all!!
Regards from
Tom :)
Exactly my thought.
How much did M$ pay CRASH for this report?
Why would Microsoft pay for this?
Competitor
That said, there is no information that I have seen that Microsoft is involved in this. It may just be a fishing expedition for new business by the releasing entity. We don't know.
What we do know is that Oracle doesn't appear to be in any hurry to improve Java security. However, it remains true that ANY programming environment that is capable of receiving an executable input and/or storing it is a potential security breach. The only real protection is in the vigilance of the programmer/user.