Security Onus Is on Developers

JavaOne panelists say technology and admission of fallibility are crucial to robust code.

During last months JavaOne Conference in San Francisco, Fortify Software convened a panel to discuss the role of application developers in software security and the need for appropriate development technology, without which genuine security is impossible to achieve.

Invited expert panelists were Gary McGraw, chief technology officer of Cigital, of Dulles, Va., and a widely read author on this subject; Bill Pugh, professor of computer science at the University of Maryland in College Park, Md.; David Wagner, professor of computer science at the University of California at Berkeley; and Bill Joy, co-founder of Sun Microsystems, of Santa Clara, Calif., and a partner in Kleiner Perkins Caufield & Byers, of Menlo Park, Calif.

The opening statements of these experts are shared here, and more of their subsequent discussion and their Q&A interaction with the invitation-only audience is linked from the eWEEK blogs.

That link can be readily found in the June 12 entry titled "Notes from Fortifys security panel at JavaOne" in the Archives section at

Gary McGraw

Java is good because its type-safe. A lot of people that use Java may not even be aware of that, but the fact that theyre using it is very important and good.

The problems that we see in software security—from a technical perspective—often are related to the programming language C, which is kind of a disaster from the security perspective. Java did a lot to clean up the mess and make things a little bit more comprehensible.

But software security is about two kinds of problems: bugs and flaws. Its important to think about both. When youre working with Java, youll have fewer problems with bugs because of type safety, and youll have more cycles to spend thinking about architecture and about building in security from an architectural perspective.

Bill Pugh

A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that Ive found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know.

People start thinking, "Because we have smart employees, we have a good development process; were not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because theyre going to occur.

Next Page: Losing a battle, catching mistakes.