A company called “Fortify” (no link here – no need to help drive traffic to them) has claimed that after checking a limited number of Java program source codes, that all open source software is less secure and that going with proprietary software is better. It is indeed a clever way to generate traffic to their website in these times but for all the wrong reasons. I am very sure that they are a MS crony and are funded by M$ to do their bid. Did they even check any open sourced .Net apps for vulnerabilities? I don’t think so.
Something like Coverity?
I have not read the Java report, but it sounds similar to scanning project Coverity has been running for a while.
http://scan.coverity.com/
http://scan.coverity.com/rung2.html
http://scan.coverity.com/rung1.html
http://www.securityfocus.com/brief/380
http://www.securityfocus.com/news/11230
Coverity is doing automatic scanning of several major open source projects. They make the results available to the developers. Automatic tests tend to get some false positives that make projects looks worse than they might be. Automatic scans can normally provide useful information for the developers.
Re: Something like Coverity?
Personally, I would trust the coverity reports. It does a scan of a larger body of work and is more representative and accurate, imho, than what the other chaps do.