A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them." A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.
It's gotten worse, Chess said in an interview with eWEEK, "and I've got evidence to prove it." Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.