Security Onus Is on Developers

By Peter Coffee  |  Posted 2006-06-12 Print this article Print

JavaOne panelists say technology and admission of fallibility are crucial to robust code.

During last months JavaOne Conference in San Francisco, Fortify Software convened a panel to discuss the role of application developers in software security and the need for appropriate development technology, without which genuine security is impossible to achieve.

Invited expert panelists were Gary McGraw, chief technology officer of Cigital, of Dulles, Va., and a widely read author on this subject; Bill Pugh, professor of computer science at the University of Maryland in College Park, Md.; David Wagner, professor of computer science at the University of California at Berkeley; and Bill Joy, co-founder of Sun Microsystems, of Santa Clara, Calif., and a partner in Kleiner Perkins Caufield & Byers, of Menlo Park, Calif.

The opening statements of these experts are shared here, and more of their subsequent discussion and their Q&A interaction with the invitation-only audience is linked from the eWEEK blogs.
That link can be readily found in the June 12 entry titled "Notes from Fortifys security panel at JavaOne" in the Archives section at

Gary McGraw

Java is good because its type-safe. A lot of people that use Java may not even be aware of that, but the fact that theyre using it is very important and good.

The problems that we see in software security—from a technical perspective—often are related to the programming language C, which is kind of a disaster from the security perspective. Java did a lot to clean up the mess and make things a little bit more comprehensible.

But software security is about two kinds of problems: bugs and flaws. Its important to think about both. When youre working with Java, youll have fewer problems with bugs because of type safety, and youll have more cycles to spend thinking about architecture and about building in security from an architectural perspective.

Bill Pugh

A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that Ive found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know.

People start thinking, "Because we have smart employees, we have a good development process; were not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because theyre going to occur.

Next Page: Losing a battle, catching mistakes.

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel