Software security embraces the open source model
![dana-blankenhorn.jpg](https://www.zdnet.com/a/img/resize/9901f0c28381677d8bf5ced1b5af181cd77e3a1c/2014/07/22/220ebf26-1175-11e4-9732-00505685119a/dana-blankenhorn.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
At JavaOne this week, one of the hidden delights was the announcement of an alliance between Fortify Software and the FindBugsopen source project.
"Companies have tried to protect themselves with perimeter security," said Barmak Mestah, Fortify’s vice president-engineering. "We want to weave security into the software development life cycle." The way to do this is to "build and test for software security before it’s released," which Findbugs will now be able to do.
Pugh notes that Java has some security advantages already. "The language makes guarantees we don’t have to check. In c, if you write outside an array’s bonds, all hell breaks loose." This problem does not exist in Java. "Because Java is a safe language we can do a lot of shallow analysis that finds real bugs, while c has those issues with pointers and array bounds."
A more secure Java means a more secure Internet. This looks like a win-win-win, even if it means the engineer in charge of an open source project gets his paycheck from a proprietary vendor. Think of it as blended source in action.