Tuesday, December 19, 2006
The Java Open Project Review
Figured I would share a changing perspective on the Java Open Project Review...

The folks over at Fortify Software are seeking help but are doing so in a very akward way. While I am a firm believer in promoting secure coding practices, I am an even bigger believer in open source. In order to truly have secure coding practices, the tools used need to fit into existing software development lifecycles. The folks over at Fortify in their model seem keenly interested in breaking existing development paradigms by forcing monolithic uploads instead of the iterative, merciless refactoring that open source projects live by.
Developers work in tools known as IDE's not via web pages. Likewise, they like to iterate and not just get a massive list of things that are busted and create an unmanageable backlog. At work, I have been noodling usage of such tools but haven't yet pulled the trigger to explore any deeper. I realized that one of my biggest hangups is one of contradictory business models. I have been asking myself, why isn't secure coding practices simply part of the compiler and not add-on separately licensed software?

| | View blog reactions
The folks over at Fortify Software are seeking help but are doing so in a very akward way. While I am a firm believer in promoting secure coding practices, I am an even bigger believer in open source. In order to truly have secure coding practices, the tools used need to fit into existing software development lifecycles. The folks over at Fortify in their model seem keenly interested in breaking existing development paradigms by forcing monolithic uploads instead of the iterative, merciless refactoring that open source projects live by.
Developers work in tools known as IDE's not via web pages. Likewise, they like to iterate and not just get a massive list of things that are busted and create an unmanageable backlog. At work, I have been noodling usage of such tools but haven't yet pulled the trigger to explore any deeper. I realized that one of my biggest hangups is one of contradictory business models. I have been asking myself, why isn't secure coding practices simply part of the compiler and not add-on separately licensed software?
