Most developers are concerned about the security aspects of the software they write, and some even worry on a constant basis whether there might be security problems lurking in their production code. Such worries are the first hallmark of a security-conscious developer, according to Barmak Meftah, VP of Products and Services at Fortify Software, and Bill Pugh, creator of the popular FindBugs tool:
Part of security is that you're always worried that some new vector, some new thing is going to get you... If you're worried whether your software is secure or not, congratulations! You've taken the first important step to making your software secure. Some people are just oblivious to this.
In the interview, Meftah and Pugh discuss the importance of augmenting code reviews with automated quality and security checking tools:
Even if you know what you're supposed to do, mistakes happen. And you have to come up with ways—how do we [find those mistakes]? There are a lot of different ways of doing this. Code reviews is one. There are many others. One of them is static analysis tools, which is what Fortify does for code security, and what FindBugs does for code quality. Those things often find things that slipped through the code review and testing cracks.
|Barmak Meftah, Vice President of Products and Services at Fortify Software, and Bull Pugh, creator of FindBugs, talk about software security. (4 minutes 3 seconds)|
What have you found to be the single most important step to follow to ensure that you're writing secure code?Post your opinion in the discussion forum.
Bill Venners is president of Artima, Inc. He is author of the book, Inside the Java Virtual Machine, a programmer-oriented survey of the Java platform's architecture and internals. His popular columns in JavaWorld magazine covered Java internals, object-oriented design, and Jini. Bill has been active in the Jini Community since its inception. He led the Jini Community's ServiceUI project, whose ServiceUI API became the de facto standard way to associate user interfaces to Jini services. Bill also serves as an elected member of the Jini Community's initial Technical Oversight Committee (TOC), and in this role helped to define the governance process for the community.
Frank Sommers is Editor-in-Chief of Artima Developer. He also serves as chief editor of the IEEE Technical Committee on Scalable Computing's newsletter, and is an elected member of the Jini Community's Technical Advisory Committee. Prior to joining Artima, Frank wrote the Jiniology and Web services columns for JavaWorld.