Red Hat developer Andrew Haley will assume the role of project lead for OpenJDK 6, the company announced last week, letting Red Hat "continue to help drive the future of Java and of OpenJDK."
Haley is a long-time Java technical lead and member of the OpenJDK governing board.
This announcement isn't headline-grabbing, but this "transition into a leadership role" underscores Red Hat's commitment to Java."We think that Java will continue to be a strong option for developers for a long time to come," Rob Cardwell, vice president of middleware strategy at Red Hat, told ADTmag. "What we're doing with OpenJDK 6 is continuing a trend we started years ago with IcedTea Project."
Red Hat has been involved in the OpenJDK since 2007, when it signed Sun Microsystems' OpenJDK Community TCK License Agreement. The TCK (Technology Compatibility Kit) is the official test suite for compliance of implementations of Java Specification Requests (JSRs); they can only be provided by the spec lead of a JSR. Red Hat was the first big software vendor to license the TCK.
The IcedTea Project Cardwell referred to was a build and integration project Red Hat launched in 2007. Its aim was to make it possible to add OpenJDK to Fedora and other Linux distributions that require free software. A version of IcedTea based on OpenJDK was packaged with Fedora 8 later that year.
The board oversees the OpenJDK community and upholds its bylaws, but has no direct authority over technical or release decisions. Along with Red Hat's Haley, the list of current board members includes: chairman Georges Saab from Oracle, vice chair John Duimovich from IBM, OpenJDK lead Mark Reinhold from Oracle, at-large member Doug Lea from SUNY Oswego. The board also includes two "observers:" Ed Lynch from IBM, and Mike Milinkovich, executive director of the Eclipse Foundation.
IDC analyst Al Hilwa said he believes Red Hat's continued support and investment in Java -- especially given the company's success as an open source enterprise technology provider - give credibility to the company's "vision for the future of OpenJDK and goal of driving innovation in Java."
Haley blogs fairly frequently, and his posts are worth reading. His latest includes some details on the latest release of IcedTea. An earlier post does a great job of clarifying the security differences between running Java code from the command-line and running it via a browser plugin.
Posted by John K. Waters on 03/12/2013 at 10:53 AM1 comments
It's an odd way of setting a high standard, naming your flagship product after one of the last century's most notorious cinematic slackers, but the decision to call their new web application development framework "Ferris" (for Ferris Bueller) made perfect sense to its creators at Cloud Sherpas.
"We're making it easy for developers," explained Cloud Sherpas' Michael Cohn. "And Ferris Bueller was all about easy."
Written in Python, Ferris is an open-source, model-view-controller (MVC) framework specifically designed for developers using the Google App Engine. The MVC architecture makes for a flexible, Rails-like framework for rapid app development. It automatically provides CRUD (Create, Read, Update, Delete) cycle scaffolding of actions and views. It includes a theme engine built on the Python-based templating language Jinja2.And also it comes bundled with an Oauth2 toolkit and a Google API client.
At its core, Ferris is an MVC with the App Engine in mind, says its creator, Cloud Sherpas programmer Jon Wayne Parrott. In terms of its capabilities, it falls somewhere between microframeworks like Flask or Bottle and a larger, more complex Web app frameworks like Django or Pyramid, he said.
"It leverages everything that's available by default in App Engine to make it easy to build applications rapidly," Parrott told ADTmag. "You don't have to fight with it at all to access everything App Engine gives you."
Google's App Engine is a suite of the tools and services for building and scaling Web apps on the company's infrastructure. Applications developed using the App Engine Software Development Kit (SDK) can be uploaded and hosted by Google, and those apps can then utilize Google's bandwidth and computing power. Google claims that it's one of the fastest-growing cloud messaging and collaboration platforms, with more than 50 million users and 5 million business customers.
The Atlanta-based Cloud Sherpas is a cloud services brokerage, which means the company serves as an intermediary between cloud vendors and buyers. Think next-gen SI or VAR for the cloud. Among other things, the company serves the Google Apps ecosystem, and it claims to be the largest Google Apps systems integrator in the world. The company has been named Google Enterprise Global Partner of the Year for Apps Implementation two years in a row.
With all the frameworks on the market these days, it's hard not to wonder why we need another one, but Parrott insists that what developers are getting with Ferris is unique. "This is a highly focused framework for the Google App Engine," he said. "We think that's enough of a differentiator."
Why build the framework in Python?
"We just find it a lot easier to develop in Python than Java or (Google's) Go at the moment," Parrot said. "When it comes to pure Web development, it's hard to beat Python when it comes to pure speed and ease of use."
Cloud Sherpas unveiled the Ferris framework at last week's Strata conference. It is available now for free under the Apache v2 license.
BTW: Parrott stars in a YouTube sendup of the 1986 movie Ferris Bueller's Day Off, the framework's namesake. Fair warning: It includes the shower scene.
Posted by John K. Waters on 03/06/2013 at 10:53 AM0 comments
This year's RSA Conference was chock full of great content. One of my favorite sessions was the chief information security officer (CISO) panel, hosted by Cigital Inc. CTO and build-security-in guru Gary McGraw. Instead of a whip, McGraw wielded a Star Wars lightsaber (a vendor was handing them out on the exhibit floor) to keep four top security execs moving through a series of "driving" questions.
In answering a question about measuring risk, Gary Warzala, CISO at Visa, argued that, although it was certainly important to measure an organization's vulnerabilities and level of compliance, it was just as important to make sure that risk is owned throughout the enterprise.
"When I think about the technology organization, we hold the majority of operational risks," he said. "We need a process by which we're managing that risk on a daily basis, and then we need to be able articulate that ... But you can't just have the conversation around risk when you're talking to the board; you have to have it across the enterprise."
Google views security as an existential issue, said Eric Grosse, VP of the company's Security Engineering group. It's evaluated based on observed incidents. In fact, the company authorizes internal groups -- on a short-term basis -- to try to break in.
"We have a referee standing by, because they're actually working on the live systems," Grosse said. One side effect of this process is that it makes other employees more alert to potential security issues, he added.
For an answer to the question, "How should the security function interact with executives?" McGraw turned to Howard Schmidt, who served the country's chief executive. The former cybersecurity coordinator for the Obama administration said that the interactions between a CISO and his boss need to be customized, or they can have unexpected consequences.
"One minute you're doing a nice briefing for executives, and the next thing you know, they're subscribing to some list and every virus that comes out has them on the phone saying, 'Is this going to affect us?'" he said. He hastened to add that that never happened with Mr. Obama.
"What you really have to do is to sit down and involve all the business units, preferably in the same room," Schmidt said. "It's almost like creating a disaster recovery plan or business continuity plan, where, if you send out an e-mail asking about priorities, and they're all No. 1. But if you get them all in the same room, you get a better idea of when you need to escalate."
Jason Witty, CISO at U.S. Bank, said that information security execs need to do a better job of speaking with management in business terms.
"We need to talk about things like protecting and enhancing revenue," he said. "We need to change our vernacular ... We don't want to be speaking Klingon to Captain Kirk."
McGraw also asked the panel about which tools they found the most useful in their work, which drew a little groan from Witty.
"I saw a list of information security vendors the other day," he said. "When I saw it, I rolled my eyes so far back in my head I saw behind me … The bottom line for me is that this is a people-and-processes issue, not a technology issue."
McGraw also wondered about how the gathered execs retained good security people. Beyond having "the best recruiter in the business, bar none," not to mention Visa's strong brand, it's the kind of field that attracts people who love the work, Warzala said.
"People in the information security field are what I call digital first responders," he said. "They're the kind of people who run toward a fire while everyone else is running away ... They're not doing the job to make lots of money. They're doing it because they're passionate about it."
Posted by John K. Waters on 03/05/2013 at 10:53 AM0 comments
The annual crypto-uber-geek, cyber-security trade show, better known as the RSA Conference, gets underway next week in San Francisco. I love this event. The content is broad and deep and sometimes downright scary. Even registering for the thing can be unsettling: never have I had to work so hard to create a password. And you need a personal access code to get on the wireless network at the show. So cool.
I got a nice warm up for the event earlier this month when I attended a roundtable discussion among HP security mavens. The company is planning to make several major announcements around security at the end of this month, and it'll soon be releasing its "2012 Cyber Security Risk Report." The roundtable included execs from the various groups HP assembled last year to form its Security Intelligence and Risk Management platform. The discussion focused on trends in cybercrime, the evolving marketplace for information theft and the best enterprise defense strategies.
Art Gilliland, SVP of HP's Software Enterprise Security Products group (and former Symantec exec), kicked off the conversation by suggesting that the press, and even some security professionals, spend too much time talking about individual perpetrators.
"Focusing on specific actors is a bit of a red herring," he said. "It misses the fact that there's just so much money to be made from the sale of stolen information that a real marketplace has grown up around cybercrime."
That's the bad news; the good news is markets exhibit recognizable behaviors than can be exploited.
"Markets do very specific things," Gilliland pointed out. "They organize participants, for example, and they create specialization around a process. If companies are going to become more effective at responding to security threats, they're going to need to think about how they disrupt the marketplace of the adversary."
HP uses something called a "kill chain," a traditional process chain originally created by Lockheed Martin, to describe the five steps of a security breach. The kill chain steps include: 1) Research (the bad guys create profiles of their targets); 2) Infiltration (they break in); 3) Discovery (they map the assets and find the good stuff); 4) Capture (they take control of the assets or sensitive information); 5) Exfiltration (they steal or destroy it).
"I believe that the reason we're seeing such an increase in breaches and threats is that we, as an industry, are not building the capabilities necessary to disrupt this process," Gilliland said.
Instead, a great deal of emphasis is placed on the technology infrastructure for blocking the adversaries -- anti-virus software, firewalls, etc. But, as Gilliland put it, "this marketplace innovates around us," and a break in is all but inevitable. "If you believe that that's true -- and I think most security experts do -- then we had better get much better at catching them inside before they've stolen the data," he said.
"It's critical that organizations get to a point where they can respond very quickly to each of those steps," said Scott Lambert, director of HP's DVlabs. "That's how we change the game."
Digital Vaccine Labs was the research organization within security vendor TippingPoint, which HP acquired in 2010 when it bought 3Com. HP describes DVlabs as "the heart" of the company's IT security research and intelligence.
Lambert allowed that firewalls and intrusion detection-and-prevention systems provided protection from what attackers were leveraging when those technologies where created, and they're still effective at blocking certain classes of attacks. But today the focus of the attackers is shifting away from perimeter defenses and toward the individual. Vulnerabilities in social networks, for example, are attracting a new generation of cybercriminals.
Lambert also added to my growing security vocabulary list with "OODA Loop:" observe, orient, decide, and act. It's a military term applied to combat operations; whoever gets through the loop faster is likely to be the winner.
"At each of the stages in the kill chain, there is a set of assessments that must be made and actions that must be taken," he said. "The attacker is going to keep coming back in; shut down one door, and they'll find another one. So we need to be quicker at identifying that they're inside, telling them to go away, shutting those doors, and getting on right on top of them when they come back."
Jacob West, CTO of Fortify Products within HP's Enterprise Security group, weighed in on the subject of security in the application layer. Although network and end-point security still get the lion's share of a typical organization's security budget, he said, app security is finally getting the attention it deserves.
"Ten years ago there wasn't a field called 'software security,' West said. "Security was still pixy dust that you layered on top of your software after you built it. We've come a long way since then, and now we're seeing substantial investment in securing the application layer."
The reason for the increased investment, West said, is the growing popularity of the app layer as a target. But he added that it's a mistake to expect top notch developers to also become security experts.
"You just can't be both," he said. "So what we in the industry need to do is to enable those developers—and everyone else who contributes to the development lifecycle -- to understand that they're making security-relevant decisions and give them the processes and technologies to make those decisions in the right way when they're faced with them."
In 2007 West co-authored Secure Programming with Static Analysis Addison-Wesley Professional, July 9, 2007) with Brian Chess, founder of security vendor Fortify Software, which HP acquired in 2010. Fortify was known for its static application security analysis technology, and West and Chess's book is something of a classic in that field.
"I do think a lot of development organizations recognize that security is now a core requirement of the software they build," West added. "They can't make every developer a security expert, but they know that software those developers eventually produce needs to be secure. And do see an increasing number of firms with large development investments tying developer performance and compensation to security metrics."
And yet many organizations have yet to implement even basic perimeter security, said Joni Kahn, SVP of Services and Support in HP's ArcSight group, let alone addressing more sophisticated threats. Kahn runs professional services at HP and is actively involved in breach remediation and response. (HP acquired security information and event management provider ArcSight in 2010.)
"We spend a lot of time talking about the business processes that allow you to leverage the technology in an effective way," she said.
To my dumb question of the day, "Why haven't we fixed all this yet?" Kahn replied, "Well, that's a little bit like asking, Why haven't we stopped all burglaries? There's money in this, and crime pays."
BTW: Gilliland will be talking about how market forces are organizing our adversaries at the RSA Conference. His talk is entitled: "Criminal Education: Lessons from the Criminals and their Methods."
Posted by John K. Waters on 02/22/2013 at 10:53 AM0 comments
Forget the headline-grabbing revelations of new security flaws, the dogged dissing from Apple and the dire warnings from the U.S. Department of Homeland Security: Java is the world's most popular programming language. That's according to TIOBE Software's latest Programming Community Index.
TIOBE is a Netherlands-based provider of software quality assessment services based on the ISO/IEC 9126 standard. The company ranks the popularity of software languages based on "the number of skilled engineers world-wide, courses, and third-party vendors." The purpose of the Index, the company says, is to provide coders with a kind of contextual yardstick with which to measure their own language skills against current demand.
Ten months after being spanked by C, Java has risen to the top largely because of the popularity of Android mobile devices, the indexers concluded. Java accounted for 18.387 of market share in February, as measured by TIOBE, while C held onto a solid 17.080 percent, followed by Objective-C with 9.803 percent and C++ with 8.758 percent.
The Index also indicated that the popularity of Python is on the rise (4.949 percent, up 1.07 percent over the last half year), with PHP holding steady at 5.074 percent.
Altogether, TIOBE ranks 50 programming languages, though it follows many more. The company emphasizes that the Index measures only the popularity of a language, not its actual quality (no "bests") nor the number of lines of code written in it.
Java also made it to the top of a rival language popularity index: the latest PYPL (PopularitY of Programming Language) Index. This popularity indicator is published by pyDatalog, a provider of a pure-Python implementation of a declarative subset of Prolog, called Datalog. Java topped the PYPL Index in February with a 29 percent market share. PHP came in second with 14.6 percent. C# followed with 10.5 percent, Python with 10.3 percent and C with 9.6 percent (down .9 percent).
The goals of the PYPL indexers are the same as TIOBE's: "If you believe in collective wisdom," the Web site states, "the... index can help you decide which language to study, or which one to use in a new software project."
TIOBE, which has been around a while, tracks the popularity of languages by counting related Web pages; pyDatalog, the new kid on the popularity indexing block, counts how often language tutorials are searched on Google. One tracks availability; one tracks demand. I'm not sure which is the better methodology, but it's useful to be reminded that Java isn't merely a popular target.
Posted by John K. Waters on 02/13/2013 at 10:53 AM1 comments
A number of insightful industry watchers got back to me right after the holidays with their thoughts on the challenges facing developers in 2013. (Most of them didn't even seem that hung over.) It was just too much wisdom to cram into two blog posts, so we're going with a Part III.
John R. Rymer, principal analyst at Forrester Research Inc., covers application development and delivery (and writes a killer blog). He agreed with his colleagues that mobile will continue to vex developers, as will the need to learn and employ multiple languages. However, he was surprised (as was I) that the arrival of Windows 8 didn't top more lists.
"[Windows 8] got off to a slow start, by all accounts, but Microsoft is all in on this one," he told me. "It's fair to say that one Microsoft platform era is ending and another is starting. What Microsoft is calling 'the new Windows platform' includes Windows 8 clients, the Windows Runtime API, and the Windows Azure cloud. .NET isn't going away, but it's a server environment, and the relationship among these technologies is really complicated. There's a lot to master there. And then there's the question of when to make the jump to that platform."
Rymer and fellow Forrester analyst Jeffrey S. Hammond published a report in August entitled "The Future of Microsoft: New Options, New Choices, New Risks" that's well worth reading.
Ovum principal analyst Michael Azoff foresees a "big headache" on the horizon for developers caused by fragmentation in app dev precipitated by their struggles with mobile development.
"Mobile of course is the issue," he said. "HTML5 is supposed to be the answer, but it's a bunch of technologies, continually evolving, and part of a spectrum of options when deciding to go native, hybrid or open."
For ZapThink President Jason Bloomberg, the mobile piece is all part of the broad-based trend toward new ways of thinking about distributed computing.
"From the enterprise perspective, mobile -- as well as the browser -- has always been thought of as the user interface endpoint," Bloomberg said. "The thinking goes: All the hardcore work of enterprise development is in the middle tier, and then you do the application tier and let the hippies do the coding on the interface, which you slap on for the end users. That's shifting as our devices become more and more sophisticated. A smartphone is more powerful than a supercomputer from 20 years ago. We have these supercomputers in our pockets, so they can be much more than just interface endpoints. They can actually be a provisionable cloud resource as well."
Another challenge ahead for developers in 2013, Bloomberg said, is sorting out cloudwashed products and services from the real thing. "Cloudwashing" refers to the practice of adding the word "cloud" to existing, essentially unchanged products or services.
"The 2013 cloud computing story is one of maturation," he said, "but also one of the vendors striking back with an increasing effort to cloudwash, as they realize that cloud computing done right would undermine their revenue streams and licensing models. What developers need to understand is that virtualization alone is not the same thing as cloud. That's the seed of confusion that's getting sewn right now. Vendors are saying, we're offering cloud, but they're really offering virtualization. The missing pieces are the automated provisioning configuration and the elastic nature of the cloud, where you can scale up and scale down in an automated fashion. Virtualization alone doesn't offer those parts of the story, and developers need to be aware of that."
Bloomberg has a book coming out later this year, "The Agile Architecture Revolution," from Wiley, John & Sons Inc. Given the quality of his coverage of service-oriented architecture (SOA) and cloud computing over the years, it should probably be on your reading list.
Unsurprisingly, security was on the mind of my favorite fiddle-playing security expert, Gary McGraw, CTO of Cigital Inc., and author/coauthor of many books, including the classic, "Software Security: Building Security In" (Addison-Wesley, 2006).
The top of McGraw's list of challenges for developers in the coming year: secure use of well-known frameworks.
"This is a big question for developers," McGraw said. "From a coding perspective, if you're used to using static analysis tools, they fail when it comes to frameworks, because the control flow goes right down this hole. And the tool goes, 'Oh well, the control flow is gone, so I quit.' Using frameworks securely should be a big issue for developers in 2013. And they should be asking exactly what the guys who are building frameworks are doing to make them secure."
McGraw also pointed to ongoing security issues around Java, which was plagued by exploited vulnerabilities last year.
"Watching all that, it felt like déjà vu all over again," McGraw said. "I looked at my watch and said, holy crap, it's 1997! What's going on is, various people who are in control of Java at a company whose name might start with Ora and end with cle, just haven't been paying attention. They pay a lot of lip service to security at that company, but when push comes to shove, they're not delivering. And when companies that, generally speaking, try to play nice like Apple (emphasis on generally) say they're going to ban Java from their platform, that ought to be a wake-up call."
McGraw will be presenting at this year's RSA security conference. The title of his talk: "The Bug Parade, Zombies, and the BSIMM." (The BSIMM, of course, refers to the Building Security in Maturity Model, the latest incarnation of which I covered back in November.)
Security was also on tech industry watcher Rob Enderle's mind (The Enderle Group), particularly when it comes to the use of open source in the mobile space. So much work is now "pointed at mobile devices," he said, and so many malware writers are employing the strategy of altering good applications, that app builders should reexamine their open source practices in 2013, and "take other measures to ensure someone doesn't hijack your product for illegal purposes."
Enderle also cited analytics as an increasingly critical industry focus and developer opportunity.
"Analytics is one of the big technology advancements this decade," he said, "and using this tool to better understand your existing and potential customer needs and frustrations --and your competitors' weaknesses -- should help assure more successful products and greater customer loyalty. This is also a huge opportunity to think about incorporating these analytics into software products and providing a feedback loop to customers that use them to help you better enhance the products you're creating."
For RedMonk's James Governor, the good news for developers in 2013 -- a wealth of choices -- is also the daunting news.
"Dealing with the abundance of tooling is increasingly an issue," Governor said in an e-mail. "Developers have more choices than ever to make -- whether in data stores, programming languages, management and monitoring, agile methods, approaches to DevOps -- there's innovative stuff happening everywhere."
To support his point, Governor quoted author Clay Shirky's book, "Here Comes Everybody" (Penguin Books, 2009): "We are living in the middle of the largest increase in expressive capability in the history of the human race ... The barrier between producers and consumers, professionals and amateurs, has been -- if not eliminated -- so drastically lowered that it is revolutionizing our society just as the printing press revolutionized medieval Europe."
"That's the world we find ourselves in," Governor said, "and what's particularly interesting is that developers are both the Catholic Church and the Protestants, the High Priests and the upstarts."
In another good news/bad news observation, Governor included software patents on his list of developer challenges for the coming year.
"Software patents continue to be disastrous for software developers," he said, "with trolling from both mega corps like Apple, and a motley band of ambulance chasing IP lawyers, being a huge problem. That said, recent U.S. court cases indicate a willingness of the judiciary to stop the madness. Weirdly, patent law may even be a bright spot in 2013."
Governor is another blogger who should be on your list.
Posted by John K. Waters on 02/06/2013 at 10:53 AM0 comments
Earlier this month Mozilla announced the first developer preview phones specifically designed for its Firefox OS.
The phones -- two of them -- are being developed by a Spanish startup called GeeksPhone in partnership with Spanish telecom Telefónica. Mozilla says the phones will be available sometime in February.
The devices are the "Keon," a basic smartphone that comes with a 1GHz Qualcomm Snapdragon S1 processor, 4GB of ROM, 512MB of RAM, a 3.5-inch HVGA display, a 3-megapixel camera, MicroSD support, a 1580 mAh battery, and support for 2G and 3G networks; and the "Peak," a more powerful device with a dual-core 1.2GHz Snapdragon S4 processor, a 4.3-inch qHD IPS display, an 8-megapixel rear-facing camera (2-megapixel front), 4GB of ROM, 512MB of RAM and a 1800 mAh battery.
Stormy Peters, director of Web sites and developer engagement at Mozilla, made the announcement on her blog on the Mozilla Hacks Web site. "Developers are critical to the Web and to Mozilla's mission to make the web accessible to everyone," Peters wrote. "Hundreds of millions of people worldwide use Firefox to discover, experience and connect to the Web. A Web based on open standards and open technologies. We couldn't have done this without Web developers. Now we are working on bringing the power of the Web to mobile, through Firefox OS, along with all the power of open standards and an open community, and once again, we'd like to invite web developers to join us."
Mozilla announced plans to develop an open-source, Web-based mobile operating system in 2012. The OS is set for release later this year.
GeeksPhone website welcomes developers to "Say hola to the future," and declares, "Our developer preview devices have been designed to enlighten the Firefox OS experience, giving developers the chance to tap the future of mobile."
But how much of an impact on current approaches to mobile application development will a web-only Firefox OS have? Not much, says Ovum senior analyst Nick Dillon. He sees the Firefox OS as "an interesting academic exercise" comparable in this regard to Google's Chrome OS. The advent of the new mobile operating system is unlikely to facilitate a dramatic change, Dillon writes in an Ovum comment. One reason: There's already plenty of support for HTML5 on the leading smartphone platforms, which means there's no real need for another one to drive adoption of the technology.
"Another significant barrier to the success of Firefox OS," Dillon wrote, "will be cost. The Firefox OS devices will be targeted at emerging markets, where they will be competing with low to mid-tier Android devices. From a consumer perspective, the Firefox OS devices will offer less functionality than comparable Android devices, without access to embedded Google services and the hundreds of thousands of third-party applications available on Android devices."
Developers who don't want to buy the dedicated hardware will still be able to test their applications using the Firefox OS simulator, the company said.
Posted by John K. Waters on 01/31/2013 at 10:53 AM0 comments
An Oracle executive has promised to "fix" problems with Java that have left Web sites running the Java plugin vulnerable to malicious hackers and resulted in some high-profile security breaches. Speaking with Java User Group (JUG) leaders during a conference call last week, Oracle's senior product security manager, Milton Smith, said that his company cares about Java security, and has been working on the problem and will continue to do so.
"The plan for Java security is really simple," Smith said. "It's to get Java fixed up -- number one -- and then, number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have got to fix Java..."
Oracle has been working to improve Java security, Smith said, though much of that work has not been publicized. He pointed to new security features, such as a slider on the Java control panel that allows users to effectively disable Java on the browser.
And it is the browser -- or rather, browser plugins, which run applets -- that is the focus of Oracle's security efforts, Smith said.
"The area of concern is the plugin -- so that's applets," he said. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser. It's the biggest target now. We haven't had those sorts of problems or challenges on the servers or embedded devices."
One caller complained that the media are "very loose when they talk about Java security...when most of the trouble has been in a very specific use case for Java [the browser]."
Smith emphasized the need for better communication about Oracle's efforts to secure Java. He argued that many people "don't understand the features that are out there," and the role the end users play in securing their own computers. He said the company plans to reach out to engineers, IT professionals who run data centers and user groups, such as the one addressed in the call.
Donald Smith, Oracle's director of product management in the OpenJDK group, talked about the possibility of using this year's JavaOne conference to communicate more fully with the community about Oracle's security plans and the community's needs. He asked those in attendance for feedback about the idea of a stand-alone Java security track at the conference.
Milton Smith added that Oracle company doesn't know yet precisely what it wants to communicate, but that calls like this one with the JUG leaders was "laying the ground work" for improved communications in the future.
Oracle has been criticized for its handling of Java security, and questions have arisen about the future of client-side Java. Forrester Research analyst told ADTmag in an earlier interview that the steady surfacing of Java security vulnerabilities could kill any chance that Java will play a bigger role on the desktop or mobile devices in the future. IDC analyst Al Hilwa pointed out that any add-on to a browser is going to increase the surface area for security attacks. But he also pointed out that Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).
"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML 5 for browser applications, so that the browser vendors own the security of the platform end-to-end."
The Oracle/JUG conference call can be found here.
Posted by John K. Waters on 01/30/2013 at 10:53 AM2 comments
More on this topic:
Client-side Java has a big, bright bull's eye painted on it, and black hats just can't seem to resist shooting at it. Oracle was relatively quick to response to news of the latest critical vulnerability in Java 7 (revealed last Thursday; fixed by Sunday), but many security mavens have been unwilling to tell users that it's safe to enable Java in their browsers again. It didn't help that the U.S. Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security (DHS), has issued a warning to Average Joe computer users to disable Java.
After more than a year of headline-grabbing revelations of new security flaws, is it fair to ask whether client-side Java is living on borrowed time? Some industry watchers think so.
Although Java will remain alive and well on the server, says Mike Gualtieri, principal analyst at Forrester Research, the steady surfacing of security vulnerabilities we're seeing today on the client side is likely to kill any chance that Java will play a bigger role on the desktop or mobile devices in the future.
"It's like all Java developers were just diagnosed with a devastating, incurable disease," Gualtieri said. "What are you going to do? Bite your tongue, keep your head down, and keep writing code."
Al Hilwa, program director at industry analyst firm IDC, points out that any add-on to a browser is going to increase the surface area for security attacks. And Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).
"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML5 for browser applications, so that the browser vendors own the security of the platform end-to-end."
Java has been gaining popularity as a target for a few years now, observes Jerome Segura, senior security researcher at anti-malware solutions provider Malwarebytes. It surpassed the Adobe Reader about a year ago, which had been the leading target, in part because of changes Adobe made to its sandbox, but largely because Java is now so widely deployed across so many devices and platforms.
It's also Java's inherent complexity that invites exploitation, Segura said, because that quality increases the number of possible bugs in the code, and thus, the number of potential vulnerabilities. Another problem is Oracle's tendency to leave the end users in charge of updates. Oracle's remedy for the current problem, for example, was to fix one of the two bugs behind it directly, and leave the users to update the default security settings to fix the second bug.
Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira, applauds Oracle for acting quickly to fix the latest zero-day vulnerability, but says there's a downside to such fast action.
"When you fix such an important bug in such a short time under high pressure, the result is that you will see even more bugs like that in the future," Mustaca said. "But also, our feeling is that Oracle has gotten into the habit of reacting to a crisis -- to putting out fires -- instead of mitigating. And so this is why we have mixed feelings about this."
Mustaca agrees that Java's widespread deployment lies at the root of its recent appeal as an exploitation target.
"The number of devices has exploded in the past two to three years," he said. "And Java runs on almost all devices. Oracle says that it's on more than three billion of them -- everything from your computer to your car to your frig. And it's an accepted technology, even by Apple. So of course it's going to be a target, and of course we are going to react strongly when it is exploited. It has a much bigger impact."
Hilwa points out that Java has attracted the attention of the "malware industrial complex," which is evolving into a "fast moving, well capitalized underworld of software-for-hire available to anyone willing to pay." Automated kits that are now available to exploit any security hole within days, if not hours, after they become known.
"The ante is regularly upped by the malware industry," he said, "and companies who want to be in the plug-in business are essentially engaged in an arms race. And it's relatively difficult for end-users to verify the safety of all the different browsers they use. This puts the onus on Enterprise IT to create awareness for their users. So Oracle needs to step up their investment. No doubt the company understands this now."
Posted by John K. Waters on 01/16/2013 at 10:53 AM4 comments