Bit9 released a report last week underscoring the ongoing security risk to the enterprise posed by outdated versions of Java still up and running on company machines -- versions of the platform with vanishing support and known and easily exploitable vulnerabilities.
Bit9 sifted its own data on more than a million end points to assemble the report. It found that, among those end points with Java installed, more than 80 percent are currently running Java 6. That version reached the end of public support in April. Though Oracle customers with long-term support contracts continue to receive security updates for Java 6, most of the company's efforts to strengthen security have been focused on Java 7. The Bit9 researchers found that only 15 percent of the endpoints were running Java 7 -- and only 1 percent of those had installed Java 7 update 21 (the latest secure version at the time of the study).
Also, according to the report ("Java Vulnerabilities Report: Write Once, Pwn Anywhere"), 42 percent of the endpoints are running more than one version of Java, and 20 percent are running more than two versions. And 5 percent of the organizations analyzed had 100 or more distinct Java versions installed in their environments.
Why are so many endpoints running multiple versions of Java? Because the Java installation and update process often does not remove the older, vulnerable versions, observed Bit9 CTO Harry Sverdlove.
"IT administrators have essentially been lied to for 15 years," Sverdlove said in a video posted with the report. "They have been told that to protect themselves from the latest security vulnerabilities they should apply updates and apply them frequently. But for many years applying updates to Java left the older versions still present...Attackers are able to use those older versions."
Jerome Segura, senior security researcher at anti-malware solutions provider Malwarebytes, agrees. "Oracle advises its users to remove old versions [of Java], but does not automatically do it for various reasons," Segura said. "In some enterprises, old Java versions are required for backwards compatibility."
"Remember the saying 'never change a running system'?" said Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira. "That's exactly what is happening out there. Ten or fifteen years ago, when many of those applications were written, there was no danger of hackers [doing] pen-testing on them with the only purpose of discovering vulnerabilities that can get exploited. Now we have this danger and Oracle sees itself in front of a big problem, which has many faces."
But even organizations running the latest version of Java are often not on top of their updates. In March, Websense published a report on its investigation of active Java versions running on tens of millions of endpoints. It found that 93 percent of users had not patched to the most recent version of Java. Like Bit9, the Websense researchers also found that enterprises have been slow to apply Java 7 update 21.
"This is not a new issue, of course," said Julien Sobrier, senior security researcher at Zscaler. "Java is an old technology and it has been running on many devices for many years. It's has always been a struggle to keep it up to date."
It may not be a new problem, but it is a serious one, said Brian Gorenc, manager of vulnerability research in Hewlett-Packard's Security Research organization. Gorenc runs the Zero Day Initiative, the world's largest vendor-agnostic bug bounty program.
"Those older versions of Java can have a lot of security flaws, which are actively targeted by attackers" Gorenc said. "You see it in the advanced exploits. They're verifying which versions of Java are running, and then targeting the older versions if they're installed. A company might think they're doing the right thing by updating their Java installations, but in reality they still have versions of Java 6 out there running on older patch levels, which means they still have the attack surface from Java 6."
Creators of exploit kits, which are marketed and sold to malicious hackers, regard older Java bugs as highly valuable, Gorenc said, and are still used to compromise machines.
"The best advice here is nothing new," Gorenc added. "Organizations need to know what software is running on their systems, what attack surface that software exposes, and how to use risk-management tools to properly address the reality of their situation."
Posted by John K. Waters on 07/24/2013 at 10:53 AM1 comments
Oracle has unveiled a summer campaign that includes a series of programs and activities for Java developers "and aspiring developers around the world." Dubbed "Make the Future Java," the campaign comprises webinars, new (and not-so-new) technical videos, a tool kit for Java User Group (JUG) leaders, a "Make the Future Java Global Celebration" Web site, and live events taking place in 47 countries.
Oracle says more than 100 Java-related events are scheduled as part of the campaign, which culminates with the annual JavaOne conference, scheduled for June 22-26 in San Francisco. JavaOne Shanghai takes place later this month (July 22 to 26) in China.
"This is really an aggregation of several important announcements and campaigns that do amount to a summer push and an effective way of getting the word out," said IDC analyst Al Hilwa. "This is a fun campaign and the Java community will love seeing some marketing go towards Java."
Oracle's Vice President of Development Cameron Purdy banged the Java drum loudly in the company's announcement. "Oracle is committed to, not only driving Java platform enhancements and technical innovations through collaboration with the Java community, but also, providing developers with the tools and resources they need to implement the latest releases," Purdy said.
Purdy pointed to the Make the Future Java EE 7 Tool Kit, which JUG leaders can order online, as an example of Oracle's commitment to the Java community. The kits include both technical and promotional resources ranging from a Java EE 7 technical presentation with speaker notes and a hands on lab with step-by-step instructions that speed up the creation of three-tier, end-to-end Java EE applications, to a Java flag (with portable stand) and "License to Code, Make the Future Java" entertainment video "celebrating the triumph of Java over evil."
The program also includes a Future of Java Summer Workshop, with which the company hopes to "inspire students' love of technology and computer science, and spark the next generation of Java innovation." The workshop is aimed at 13-18 year olds with an interest in Java programming, and will be staffed by Oracle Academy members and supported by Carnegie Mellon computer science professors. Oracle Academy, a group within the company focused on industry-related education, is set to host a three-day, in-person workshop from July 30 to August 1st at Oracle's Redwood Shores, CA, headquarters.
But the workshop will also rely on "Alice," a free 3D programming environment for animated story telling, playing an interactive game, or videos to share on the Web. The company is also making Greenfoot and BlueJ tools and tutorials available to workshop participants.
With the Make the Future Java Global Celebration Web site, Oracle is attempting to provide a new forum for Java community members to promote their Java EE 7 events and to "engage with the worldwide community" by sharing videos, contributing blog content, Tweets (#javaee7) and Facebook photos.
"It is useful to remind the world every now and then how important Java is in the enterprise," Hilwa added. "I also love the claim being made [by Oracle] that 80 percent of mobile developers target Java, because even though Java is widely deployed in the embedded space, you can't dismiss the importance of the Android mobile platform to the continued relevance of Java in the smartphone world."
Posted by John K. Waters on 07/10/2013 at 10:53 AM1 comments
Microsoft's annual Build conference drew about 6,000 attendees to San Francisco this week, and an estimated 60,000 caught the keynotes online. The Redmond software maker officially released the preview edition of Windows 8.1 at the show (complete with a resurrected Start button), unveiled new Azure cloud services focused on mobile and Web development, and pitched the Bing search engine as a development platform.
Microsoft chief Steve Ballmer trotted out a truly dizzying array of Windows devices (an "explosion of new devices," he said), including small tablets, that he said were flying off the shelves. ("The small form factor is very important," he said.) He also showed off a new Facebook, Flipbook and NFL apps for 8.1, and beat the drum of "touch, touch, touch." He also pointed out proudly that it has been only eight months since the last Build conference -- evidence, he said, of the new rapid release cadence of Microsoft products. (Not that Windows 8.0 needed a rapid refresh.)
The company also promoted a public preview of Visual Studio 2013 and .NET 4.5.1, which impressed conference attendee Ryan Balsick, manager of a small development group in Nashville-based ICA. Balsick's company is a .NET shop that builds a suite of products that facilitate health information exchange.
"Microsoft always has great developer tools," Balsick said, "but the company's biggest challenge is to get people to use Windows 8. If you're an app developer, like we are, that's critical. It's only if a lot of people are using that platform that we get to start developing applications that take advantage of cool things like touch."
Balsick thought Microsoft's announcement that it was opening up the Bing search engine as an app development platform could prove to be a game changer. Microsoft launched a developer portal this week stocked with a collection of APIs.
Gurdeep Singh Pall, VP of Microsoft's Bing group, made the Bing pitch during his portion of the keynote. "Bing is a great search tool," he said, "but it's actually very valuable outside of the search box as well. For a long time now, we've thought that you could use these capabilities to create some great experiences."
"Making it possible for developers to tap that and create seamless applications that tie into search: that's huge, too," Balsick said.
Steve Testa, an application developer at Cleveland, Ohio-based Hyland Software, was also impress by the Bing-as-a-dev-platform strategy. "I think it'll be amazing to see what comes out of that in the next year," he said.
Testa's co-worker at Hyland, Chuck Camps, agreed. He also felt that the unified Windows platform vision seemed to be coming together. And he credited Microsoft for its attention to its developer community.
"Microsoft doesn't always get it right," he said. "But one thing they do get right is the developer experience," he said. "They nail it, year after year."
Zack Williamson, an independent contractor from Tampa, Fla., who works mostly with servers and clients, was impressed by the new multiple-monitor support coming in Windows 8.1 and "enhancements to the Start screen experience." He added that he's "all in" when it comes to the new OS.
"I've been pushing for it in my environments," he said, "trying to get people to migrate in that direction. It's the future. It's where we're going, and it's not actually a particularly painful transition."
But it was the Windows Azure integration with Visual Studio 2013 that interested him most as a developer. VS now connects with Azure Mobile Services, allowing developers to synchronize over multiple devices.
"To be able to update and edit your procedures in Azure right from the IDE instead of having to go off into Azure management is going to be a big, big deal for a lot of developers," he said.
One common complaint I found among the attendees I spoke with after the two keynotes was a lack of detailed announcements around Windows Phone. Ballmer spoke briefly about the platform, and showed off a several Windows phones. It was also announced that Sprint will be adding the HTC 8XT and the Samsung ATIV S Neo Windows phones to their device lineups -- good news for Microsoft, which has yet to make much of a dent the cell phone market.
Beau Mersereau, who leads the development team at the law firm of Fish and Richardson, felt that Windows 8 had created a true inflection point that might give a lot of people pause, but not one that would cause his firm to leave the Windows platform.
"We're a law firm and documents are what we do," he said, "so for us, it's about Office. We have a tight integration with Office now and we're going to be rolling out Office 2013 in the fall. We're on Windows 7 and Office 2010, so the question is really, do we stay with Windows 7 or move to Windows 8?"
I also sat down with IDC analyst Al Hilwa (who seems to be everywhere) at the show. He sent me his take on the conference later in an e-mail:
"When you look at the body of changes that is 8.1," he wrote, "you can't help but be startled by what Microsoft has accomplished in 8 months. In addition to the long list of features, the app store re-design and the enterprise integration enablement, I have to add the retail work with Best Buy, the new device sizes, and the fact that [the upgrade] is free. All this could amount to a game changer for this platform. To be sure Microsoft's work is not over, as there is much more alignment between Windows Phone and Xbox ecosystems still to be done, but on both the PC and tablet front, 8.1 looks like a release that will see a significant increase in adoption."
Not surprisingly, I did not hear a single complaint about Microsoft's decision to hand out free Acer Iconia W3 Windows 8 tablets and Microsoft Surface Pros to attendees at this year's show. (Taking a page from Google's playbook, no doubt.)
Posted by John K. Waters on 06/28/2013 at 10:53 AM1 comments
The Eclipse Foundation will soon allow the hosting of its projects on social coding sites, such as GitHub and Bitbucket. The idea, says the Foundation's executive director Mike Milinkovich, is to attract new, maturing projects to Eclipse.
"We expect that this will pique the interest of projects that, perhaps, started on GitHub, but have gotten to the point where they're interested in vendor-neutral governance, having infrastructures for following meritocratic processes, and proper intellectual property management," he told ADTmag. "That's not just what GitHub does. I think we're a perfect complement to using GitHub as a repository for your development."
But the move is also about remaining relevant as an open source community, Milinkovich said. He announced the Foundation's plans on his "Life at Eclipse" blog, where he credited Mikeal Rogers' November 2011 post "Apache Considered Harmful" as the inspiration for the decision: "Although I disagreed with many of Mikeal's points," he wrote, "his key point that open source foundations need to change to maintain their relevance resonated strongly with us in the Eclipse community. We listened, we're learning, and we've been working hard to change our processes and infrastructure to stay relevant for open source developers."
Milinkovich's announcement shouldn't come as much of a surprise: The Eclipse Foundation has been shifting to the very popular Git distributed version control system (DVCS) for some time; it stopped using CVS altogether last December. GitHub is one of the most popular social coding sites, in no small part because it relies on Git. In his blog post, Milinkovich also mentions the Foundation's adoption of the Gerrit code review tool, the implementation of the project management infrastructure (PMI), and its growing use of contributor license agreements (CLA).
It may also have been the impetus for the Foundation's interest in connecting with social coding sites. Vert.x is one of the most watched Java projects on GitHub (literally; there's a list), and the community chose the Eclipse Foundation when it decided to move to a "vendor-neutral home."
"This is about marrying the processes we have at Eclipse with the great tools and well-supported forge that you have at a place like GitHub," Milinkovich said.
Milinkovich said he expects to talk with Bitbucket, a service that supports both Git and Mercurial and purchased by Atlassian in 2010, as well as other social coding sites, sometime in the future.
Posted by John K. Waters on 06/25/2013 at 10:53 AM0 comments
Developer tool and platform vendors are kicking the summer off with a slew of product and partnership announcements. In particular, we've been hearing a lot from providers of tools for publishing, promoting and overseeing application programming interfaces (APIs). Here are some API management product notes that wouldn't fit into the main news feed we thought you shouldn't miss:
- Apigee unveiled a new feature for its API platform that should appeal to devs building API-powered apps: push notifications. According to the company, its backend-as-a-service (BaaS) capabilities can now be used to deliver relevant and context-aware notifications directly to customers. "Sharing information directly with a carefully targeted audience has proven to be the most effective way to connect with customers," said Ed Anuff, Apigee's head of product strategy, in a statement. He added that the new feature enables highly focused, context-aware push campaigns. The free, self-service Apigee platform is available as software-as-a-service or on-premises. More information about the new push notifications feature is available here.
- SOA Software has added support for Windows Azure to its API Management solution. The newly released API Management solution for Microsoft is designed to help developers "plan, build, run, and share your APIs on Windows Azure," the company says, both in on-premise environments and hybrids. The API management software integrates natively with the Windows Azure Service Bus, BizTalk Server, and Windows Communication Foundation (WCF). "SOA Software's approach to API management is to emphasize management across the full lifecycle," the company said in an email. "In our experience, working with large corporations, the best practice is to involve stakeholders and processes fully through the plan/build/run/share phases of an API's life." For more information, visit the API Platform page.
- Enterprise middleware maker WSO2 has released API Manager 1.4, which the company says is the first API manager that can run on a private, public, or hybrid cloud environment. The company also claims that it's the first such product to enable federated access to APIs across multiple entities, "enabling new models for organizations to collaborate and monetize APIs." Launched last year, this birth-to-death API governance and analysis tool/platform is the company's bid to "democratize API management" with an affordable piece of software for controlling and managing the API lifecycle.
Posted by John K. Waters on 06/14/2013 at 10:53 AM0 comments
Oracle reversed course this week on its earlier decision to cut the popular Time Zone Updater (TZUpdater) tool from the latest version of the Java Development Kit (JDK 7) -- or was that just a slip of the knife? The tool, which allows developers to update the time zone in any version of the JDK and Java Runtime Environment (JRE) without having to update the JDK/JRE itself, was removed from the Oracle Technology Network (OTN) Web site "as part of maintenance tied to the end of public updates for Oracle JDK 6," wrote Henrik Stahl, senior director of product management in the Java platform group, on the Oracle blog.
In that blog post, Stahl also apologized to the Java community for "any confusion or inconvenience we caused."
When Java 6 reached end-of-life status in March, Oracle dropped a note on the site informing users that the tool was now available only for Oracle Java SE Support customers. Those users were not happy, and they let Oracle know about it. Stahl called the decision "an unintentional side effect" and "not in line with our policy."
Stahl also said that, though the company's goal is "to make sure that the most recent version of the JDK and JRE always contain the most recent time zone data," (by eliminating the need for a separate TZUpdater tool) it's not always possible to do that, "given the timing of the time zone updates." He added that his group is reviewing its own development process "to determine what guarantees we can put in place for the gap between a time zone update and it being available in a public JDK/JRE release."
The most recent version of the Oracle JDK will always be available royalty free, Stahl said, including any tools required to keep it up to date. The TZUpdater is available now for download here.
Posted by John K. Waters on 06/12/2013 at 10:53 AM0 comments
IBM wants to give customers using its System z mainframes the ability to extend their important business applications to the Web, the cloud and mobile environments, the company says. Toward that end, the company has updated its Enterprise COBOL for z/OS compiler to support XML Server and Java 7.
IBM's z/OS is a 64-bit operating system for Big Blue's System z mainframes; Enterprise COBOL for z/OS is the compiler that allows line-of-business COBOL applications to execute on z/OS systems. COBOL (Common Business Oriented Language), of course, is one of the oldest high-level programming languages.
Why would IBM invest in an upgrade that allows one of the oldest programming languages in use today to support one of the youngest? The fact is, many enterprises still have a big investment in COBOL code. About 60 percent of the world's business applications were written in COBOL, and an estimated 200 billion-plus lines of the code currently exist. Big Blue claims that nearly 15 percent of all new enterprise application functionality is actually written in COBOL.
"COBOL powers many of the critical systems people rely on every day," said Kevin Stoodley, CTO of IBM's Rational division and an IBM Fellow, in a statement. "With this new software, IBM is helping companies reduce operating costs and processing time associated with these applications while delivering new capabilities to take advantage of cloud, Web and mobile devices."
By supporting Java 7 and XML Server in Enterprise COBOL for z/OS v5.1, the company is effectively extending the life of this venerable system, IBM says, and making it compatible with new cloud-based architectures. Making the compiler Java- and XML-compatible also helps developers to integrate COBOL and Web-based business processes with web services, XML, Java and COBOL applications. The upgrade actually provides both XML and Java interoperability, including flexibility and control of the XML-generated documents.
The system offers support for new UTF-8 built-ins, and some debugging enhancements. It also supports unbounded tables and groups. Look also for a new level of z/OS System Management Facility (SMF) tracking capabilities.
IBM Enterprise COBOL for z/OS v5.1 compiler works with the latest versions of IBM Customer Information Control System (CICS), Information Management System (IMS) and DB2 software, the company says. The upgrade should be available later this quarter.
Posted by John K. Waters on 05/21/2013 at 10:53 AM0 comments
Google announced the release of version 1.1 of its Go programming language two days before its annual I/O conference, which gets underway on Wednesday. The first major update of the open source language since the search engine giant released version 1 just about a year ago focuses on performance-related improvements, including optimization of the compiler and linker, garbage collector, goroutine scheduler, map implementation and parts of the standard library
Google engineer Andrew Gerrand announced the release on Monday in "The Go Programming Language Blog." "It is likely that your Go code will run noticeably faster when built with Go 1.1," he wrote.
The new version also comes with minor changes to the language itself. Gerrand calls out two of those changes: modifications to return requirements, which he says will lead to "more succinct and correct programs;" and the introduction of method values, which provides "an expressive way to bind a method to its receiver as a function value."
Concurrent programming is also safer in this version, Gerrand says, because of the addition of a data race detector for ferreting out memory synch errors in the program. More details about how the race detector works are included in the new Go manual. Also, the tools and standard library have been improved and expanded.
First announced in 2009, Go (also known as "Golang") is a compiled, garbage-collected, concurrent system programming language that Google reportedly uses in its own production systems. According to Gerrand, more than 2,600 commits from 161 people have been contributed to the project since Go 1.0 was released.
"All this would not have been possible without the help of our contributors from the open source community," Gerrand added, highlighting the contributions of Shenghou Ma, Rémy Oudompheng, Dave Cheney, Mikio Hara, Alex Brainman, Jan Ziak, and Daniel Morsing.
Go 1.1 is compatible with Go 1.0, but the project leaders recommend that users upgrade to the new release, which can be downloaded here.
The announcement underscores the emphasis Google I/O conference organizers are placing on developers at this year's event.
"This is truly a developer conference this year," one event organizer told @ADTmag. "They're definitely the focus this year."
Sundar Pichai, head of Google's Android group, seemed to be managing expectations for this year's event in a Wired interview. The company won't be launching many new products at this year's show, he said, but instead will show off the work being done by developers on the Android and Google platforms.
That organizer also said that this year's event looks to be the largest to date, with more than 5,500 registered attendees, 120 technical sessions, 18 code labs (essentially, hackathons) and 185 partners in the "Sandbox" showing off their products and services.
Posted by John K. Waters on 05/14/2013 at 10:53 AM0 comments
Listening to Mitra Azizirad, GM of Microsoft's Developer Tools Marketing & Sales group, talk about Redmond's plans for its venerable Visual Studio IDE and her long career with the company, I was reminded again why I feel so lucky to be on the tech beat: Almost every day I get to talk with smart people who love what they do.
Azizirad was in San Francisco last week with "Soma" Somasegar, VP of Microsoft's Developer Division, speaking with a group of reporters informally about MS developer tools. (More on that conversation in Visual Studio Magazine.) She started at Microsoft as an architectural engineer based in Washington D.C. back in 1992, which gives her a decades-long perspective on the evolution of the role of the developer in the enterprise.
"These are really exciting times for people in our business," Azizirad said. "Exciting, but unpredictable. No day looks the same at this point. People's roles in the enterprise are changing. And the conversations we're having these days are very different from the conversations we had a few years ago."
Talking with execs about application metrics, for example.
"You find yourself talking with the CIO and CMO about features that have business value and sustaining those throughout a regular cadence," she said. "And how often will we rev certain features? And what are the key performance issues? What are the bottlenecks from a development perspective? How do you recognize those bottlenecks and move past them? How are you looking at where the bugs are showing up and how quickly can you go in and solve for those? These are conversations you would never have had outside the development teams before."
Azizirad is also seeing a significant shift in Application Lifecycle Management (ALM) decision making within the enterprise. Although developers still make the lion's share of those decisions, about a third is now made by operations, she said.
"Developers are still making most of those decisions," she said, "but it used to be just developers. Operations is coming up really quickly in that regard. They're saying, we're not just waiting for you to make the choice; we know what we need on this end, too. So connecting those teams is sometimes a big part of what we do."
But making those connections, Azizirad added, is rarely just about the capabilities of the technology.
"At a certain level, these are cultural issues," she said. "Developers use this set of tools and this set of platforms; operations uses this other set of tools and platforms. Getting past those differences and bringing those groups together has become a core part of a cultural shift within the enterprise."
A shift, she added, that is also being driven by the demands of accelerating software delivery cycles.
"They simply need to come together, because you no longer have these long release cycles," she said. "Gone are the days when you could take three months to plan, nine months to build, and six months to test. When we talk to organizations today, we may start out talking to individuals, but at some point, they're all in the room together."
Microsoft has, itself, committed to rapid update "cadence" of Visual Studio that, along with the usual bug fixes and performance enhancements, includes new functionality, beginning with April's release of Update 2. Since it was launched back in September, Visual Studio 2012 has garnered more than 4 million downloads, the company reports. That's the fastest uptake of any version of VS in the history of the company.
"I've seen just a few truly pivotal shifts in the industry since I joined Microsoft," Azizirad said. "They almost always start with the developer, and I believe that we're seeing one of them now. It's an amazing thing to be a part of."
Posted by John K. Waters on 05/10/2013 at 10:53 AM0 comments