Software security embraces the open source model

At JavaOne this week, one of the hidden delights was the announcement of an alliance between Fortify Software and the FindBugsopen source project.

Fortify Software has agreed to put an engineer on Findbugs to keep the project alive, now that its original author has moved to pastures new. Founder Bill Pugh, a professor at the University of Maryland (Go Terrapins), is not only excited about the donation of time (Fortify is now sponsoring the Findbugs project), but a key donation of code he says will greatly enhance Java security.

Fortify’s Source Code Analysis suite, which scans source code then applies rules to identify possible bugs, will now be used on Findbugs.

"Companies have tried to protect themselves with perimeter security," said Barmak Mestah, Fortify’s vice president-engineering. "We want to weave security into the software development life cycle." The way to do this is to "build and test for software security before it’s released," which Findbugs will now be able to do.

Pugh notes that Java has some security advantages already. "The language makes guarantees we don’t have to check. In c, if you write outside an array’s bonds, all hell breaks loose." This problem does not exist in Java. "Because Java is a safe language we can do a lot of shallow analysis that finds real bugs, while c has those issues with pointers and array bounds."

A more secure Java means a more secure Internet. This looks like a win-win-win, even if it means the engineer in charge of an open source project gets his paycheck from a proprietary vendor. Think of it as blended source in action.