The annual Oracle OpenWorld conference got underway this week, and I was among thousands of attendees swarming into San Francisco's Moscone Center to hear Larry Ellison's keynote opener on Sunday night, and then again this morning for the early a.m. presentations.
So far, it's been kind of a pitchfest on the keynote stage, with Oracle execs flogging existing product lines, announcing some new ones and pounding on its conference theme: "Hardware and Software: Engineered to Work together."
But one announcement -- the company's planned Big Data Appliance -- was generating rumor-buzz a couple of weeks ago, largely from the NoSQL community. The BD Appliance is an "engineered system" that combines Apache Hadoop, the framework for working with data-intensive distributed applications that's based on Google's MapReduce; the R software environment for statistical computing and graphics; and Oracle's version of the NoSQL database.
It's the NoSQL news that generated the buzz.
NoSQL, the non-relational, distributed, schema-free, open-source, horizontally scalable DBs that emerged around 2009, have been getting attention as the most effect DB for the Web, the cloud, and mobile computing. There are quite a few of them out there: Google, Amazon, Facebook, and LinkedIn all have NoSQL databases.
Oracle was short on details about its NoSQL database. A company Web page offers only a couple of paragraphs, in which it's described as "a commercial grade, general-purpose NoSQL database using a key/value paradigm," which "allows you to manage massive quantities of data, cope with changing data formats, and submit simple queries." There was no indication that it would be open source, and Oracle has not commented about that.
"To date, Oracle has told their customers that NoSQL is useless or, at best, should be used only for a very limited set of use cases, Phillips wrote. "Despite this, over the past two years, we are unaware of a single, Internet application for which Oracle was picked as the database. If Oracle is now ready to join the party on the scalability, performance and data-model-flexibility advantages of NoSQL, we welcome them. We know firsthand that NoSQL is a huge market opportunity, and Oracle would be missing the boat on a major disruptive force in the database market were they to ignore it."
Couchbase co-founder and SVP of products James Phillips noted that Oracle has been, historically, cautious about touting new technologies "that could be viewed as disruptive to their core business model."
"The unveiling of their NoSQL and Big Data technology next week indicates that Oracle is now validating what we at Couchbase have long accepted as the new market reality," he wrote, "[that] there is a fundamental shift in how modern applications are being built, and what those applications need from a data management system. Customers are investing time and money across the 'big three' themes in data management: Big Data, NoSQL, and mobile. And Oracle clearly doesn't want to miss yet another market shift."
I also talked on the phone with Max Schireson, president of 10gen (and a former Oracle employee). 10gen is the creator and chief commercial sponsor of MongoDB, another open source, document-oriented database, written in C++, and first released in 2009.
"I think the interesting question is around the distribution model," Shireson said. "Is it going to be open source? If it's traditional expensive enterprise software, my guess is there won't be a ton of interest. But open source is a disruptive business model that's challenging for a company like Oracle. I can't imagine it would be very attractive to them. But the database space is growing rapidly, and the question becomes, how much of that growth is going to be syphoned off by new players."
Shireson says that his company -- a relatively new player -- is seeing customers moving off Oracle and onto alternative databases. He points to photo-sharing site Shutterfly's recent move from Oracle to MongoDB for the storage of that site's considerable photo metadata. "They did it for the flexibility primarily," he said. "But they got great benefits in terms of scalability and price performance. When that happens often enough, it makes you want to play in that new space."
Schireson blogged about Oracle's then-rumor NoSQL announcement last month. It's worth a look.
Stay tuned for ongoing Oracle OpenWorld/JavaOne rants in this space.
Posted by John K. Waters on 10/03/2011 at 12:57 PM0 comments
The intrepid trio of app security mavens who decided back in 2009 that it was about time the world had a set of best practices for developing and growing an enterprise-wide software security program based on actual data has unveiled the third version of their innovative Building Security In Maturity Model (BSIMM).
A "maturity model" describes the capability of an organization's processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known example from software engineering. The BSIMM (pronounced "bee-simm") is the first maturity model for security initiatives created entirely from real-world data.
BSIMM3 which is distributed free under a Creative Commons license, provides insight into 42 of the most successful software security initiatives in the world. The list of companies studied for BSIMM3 includes Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo and Zynga.
Dr. Gary McGraw, CTO of Cigital; Sammy Migues, director of knowledge management at Cigital; and Dr. Brian Chess, chief scientist at Fortify Software (acquired by HP last year), are the co-authors of this on-going, multi-year study. The purpose of the project, McGraw told me, is to build a "measuring stick," so that companies can compare themselves to companies in their industries who have managed successful software security initiatives. Using the BSIMM measuring stick, McGraw, Migues, and Chess conducted a series of in-person interviews with executives in charge of software security initiatives.
McGraw emphasized that the model is fact-based. "We wanted to turn from the early days of evangelism and advocacy in software security and science," he said. "And this is how to do it."
The project has grown considerably since BSIMM1, which looked at only nine companies. BSIMM3 describes the work of 786 software security professionals working with a satellite of 1,750 affiliated professionals to secure the software developed by 185, 316 developers. The participating organizations represent eight overlapping industry verticals, including: financial services, independent software vendors, technology firms, telecommunications, insurance, energy, media, and healthcare. The current release includes 109 updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.
BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity. Eleven of the participating firms were measured twice, providing longitudinal study data; those data showed measurable improvement, McGraw said.
The BSIMM3 data set has 81 distinct measurements; some firms were measured twice, while some had multiple divisions measured separately. Among the revelations in this version of the study is the fact that the
leading firms on average employ two full-time software security specialists for every 100 developers.
"It's exciting to see something that started out as kind of a backyard science experiment bust out of its test tube and take on a life of its own," McGraw said.
BSIMM3 results conclude that "mature" software security initiatives are "well rounded," with activities in all twelve practices, including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing and configuration management.
"One of the coolest side effects of the project is the community that's growing up around it," McGraw said. "We held a conference last year in Annapolis, and 22 of the 30 firms [attending] sent the executive in charge of software security. We all got together and talked hardcore software security. There's this feeling now of a community of professionals trying to solve the same problems in software security."
For more information and to access the BSIMM3 study, click here.
Posted by John K. Waters on 09/30/2011 at 1:58 PM0 comments
Google is keeping mum on its plans to unveil another new programming language at its upcoming GoTo Conference in Denmark next month, but the buzz is already starting to hurt my ears. The language is called "Dart" (formerly "Dash"), and the conference Web site describes it as "a new programming language for structured web programming." Google's PR rep, Lily Lin, gave me a polite brush off in an e-mail, referring me to the opening keynote presentation at GoTo, during which Google engineers Lars Bak and Gilad Bracha will host Dart's debut.
The closest I'll be getting to anything Danish in the near future is the very-bad-for-me pastries at Le Boulanger in downtown Mountain View. Meanwhile, others are weighing in on Big G's latest language.
Google was similarly motivated when it created the Go programming language in 2009 for its own internal use. The language was developed as an alternative to existing system implementation languages (C++, Java, Python), which Google found were either overly complex, slow to compile, or slow in production, Valdes said. Google hasn't evangelized Go, and Valdes doesn't believe the company will evangelize Dart.
"The larger concern for many," O'Grady added, "is the language in the leaked e-mail that talks about ‘sweet talking' browser manufacturers and encouraging developers to target Chrome first. This is indicative of the kind of company-first-Web-second mandate that used to characterize Microsoft's efforts around [Internet Explorer]. That's what's got people genuinely worried."
Posted by John K. Waters on 09/15/2011 at 2:49 PM0 comments
Geir Magnusson, Jr., the former Apache Software Foundation board member and representative on the Executive Committee of the Java Community Process, has left his position as CTO of Gilt.com to become CTO of new company launched by entertainment entrepreneur and "American Idol" backer Robert F.X. Sillerman. The company is called Function(x) (pronounced "function ecks," not "function of ecks," you math geeks), and its broadly stated mission is to "establish a new platform for investments in media and entertainment with a particular emphasis on digital and mobile technology."
"We're still kind of evolving," Magnusson told me. "But this is business around consumer media consumption. It's about building systems that are mobile-based and scalable for the everyday consumer."
I'm beginning to see why the media dubbed Sillerman's enterprise a "mystery media company" when he took control of dormant public company called Gateway Industries in February to use as a launching pad. Whatever they end up doing over at Function(x), the outfit is currently accumulating talent with experience from companies like MTV, Tidal TV, AOL, Microsoft, Expedia, Massive and Ticketmaster.
Magnusson shifted gears (no pun intended) on his ASF activities to take on the position.
"Right now I'm heads-down focused here with Function(x)," he said. "I still have a very strong interest in open source, and I'm still a member of the ASF and active in pieces of it, but I won't be as active as in the past." He's no longer on the ASF board of directors, but he's the treasurer ("They voted when I was out of the room."), and weirdly, he's still in the JCP. "It's a fairly quiet position," he said. "It wouldn't surprise me if they simply decided to get rid of it."
Magnusson founded several open source projects at the ASF, such as Geronimo, Harmony and Velocity. He also had a relatively high profile during some getting-to-know-you scuffles between the ASF and then-new Java shepherd Oracle. As the ASF's JCP EC rep, he cast the only nay vote for the Java EE 6 spec, which was approved by the committee nonetheless. And he was there when the ASF left the EC. But he was quick to downplay his importance to the organization -- in fact, any one contributor's.
"In a sense, there are no key people as the ASF," he said. "We expect that the projects will outlive their founders. The system is designed to promote a kind of community ownership of anything we do, so that when life changes for people -- they get married, have a child or get a new job -- everything continues without them, though they'll be missed."
And to underscore the ASF's continuing importance to the Java community: "Apache projects are still very much in the forefront of the implementation of Java specifications," he said. "Tomcat, ActiveMQ, Apache Geronimo; they're all staying current and competitive with other offerings, both commercial and open source. It's just that we're no longer participating in the JCP as a member of the executive committee."
My best to Magnusson at his new company... Whatever it is they're doing.
Posted by John K. Waters on 09/09/2011 at 3:20 PM0 comments
This year's Dreamforce event was ginormous. Salesforce.com took over all three wings of the Moscone Center in San Francisco for a week and even closed down a block of Howard Street to accommodate the wanderings of the 45,000 registered attendees. The entire exhibit area of one wing was set up for CEO Mark Benioff's keynote opener, and they still had overflow traffic going into another room to watch the keynote on monitors.
Benioff was in full Elmer Gantry mode, prowling the stage and the audience, preaching his company's newish message about the social revolution and his notions about evolving the Salesforce development platform into a "social enterprise platform." As I reported earlier, he declared, "We were born cloud, and now we've been reborn social!"
Benioff and company announced a bunch of enhancements for the Salesforce Chatter enterprise social network, a new Web-based resource for delivering an HTML5-based version of its applications, the official launch of Database.com with a new Data Residency Option (DRO), new features for its Radian6 social monitoring tool, and support in its Heroku cloud app platform for Java.
If the size of this event is any indication, a lot of people seem to be interested in Benioff's message -- and lot of those people are developers. IDC analyst Al Hilwa sees the news and announcements fired from this conference as another volley in the "PaaS wars," and an ongoing battle for the hearts and minds of application developers.
"There is a major transformation taking place in application platforms and everybody is fighting to paint a vision of what things will look like when all settles down," Hilwa told me via e-mail. "We are drifting into a more diverse world where there are many languages and platforms available to developers in a viable way."
Hilwa pointed to the big, warm hug Salesforce gave to HTML5 at the show.
"HTML5 appears to be how most enterprises will address the diversity of mobile devices that might be coming into the enterprise," he said. "Salesforce and VMware are both aware of that with [Salesforce] announcing that they will touch-enable their platform, and VMware announcing specific infrastructure solutions that enable HTML5 on such devices. HTML5 has a strong future as a unifying technology that will provide the enterprise balance to consumer application platforms [that] use native tools. I see both native and web co-existing and providing different advantages that appeal to consumers and enterprises in different ways."
PaaS war, indeed. Benioff took direct aim at rival Oracle from the stage when he told his audience to "beware of the false cloud" as he stood before an image of the Oracle Exadata server. Meanwhile, Three groups of people tethered to large, cloud-shaped balloons featuring Oracle's logo and "#1 CRM" loitered on the streets outside the conference from early in the morning. I kept expecting to see kite-flying Microsofties, hot air balloons dropping IBM leaflets, or "SAP" rendered in the firmament by skywriters.
I reported this earlier, but it's worth repeating: Gartner says the market for Social CRM will surpass $1 billion in revenue by the end of 2012.
Posted by John K. Waters on 09/02/2011 at 2:04 PM0 comments
Developers deploying Java applications to VMware's new Cloud Foundry Platform-as-a-Service (PaaS) have yet another way to get there. eXo, the French company best known for its GateIn-based enterprise Java portal, has added Cloud Foundry to the growing list of PaaS systems supported by its new Cloud IDE development tool.
The company is billing the eXo Cloud IDE as the industry's only cloud-based integrated development environment. It provides codederos with a multi-tenant, hosted dev space designed to enable the collaborative building of apps based on Java, Groovy, Spring, PHP, Ruby and HTML, among others. And the apps you build with it can be deployed directly to a PaaS environment.
Keep in mind that this is a separate product line, not to be confused with the development tools that are part of the company's enterprise software stack, the eXo Platform. Currently in version 3, the eXo Platform comes with a Web-based IDE, a portal framework, collaboration tools, an enterprise content management system, a knowledge management solution and a set of enterprise social networking capabilities. The core platform is architected on the GateIn portal framework, an open source project developed jointly by JBoss and eXo.
The eXo Cloud IDE has been under development for about a year and a half, and the initial beta program was launched at the beginning of the year, explained the company's San Francisco-based developer advocate Mark Downey. When I talked with him, he was eager to correct a little glitch on the company's Web site.
"Although we still call it a beta, since we are rapidly adding new features and fixing bugs, the service is now available to everybody," he said. "The statement on our homepage saying that the service is limited to a small number of developers is no longer true."
eXo's announcement comes on the eve of the annual VMworld conference, which gets underway next week in Las Vegas, and just ahead of the beta release of VMware's new Micro Foundry PaaS for client machines. (Look for the eXo Cloud IDE at Booth #171 at the Vegas show.)
Including Cloud Foundry, the eXo Cloud IDE now supports application deployment to four PaaS environments. The others are CloudBees, Heroku and Red Hat OpenShift.
"Cloud IDE makes it possible for developers to collaborate on building Java applications in the cloud, apps that they can deploy directly to Cloud Foundry in minutes," the company's founder and CEO Benjamin Mestrallet said in a statement. "The code now lives in the cloud, accessible from virtually anywhere with a browser and Internet access..."
If you're interested, eXo is welcoming all comers to download the eXo Cloud IDE, despite what the download page may say. And the company is holding an intro webinar on or around September 8. Check here for details. And there's also a video demo available here.
Posted by John K. Waters on 08/25/2011 at 9:40 AM0 comments
The advanced primates over at Gorilla Logic have been working those opposable thumbs overtime recently. The results: FlexMonkey 5, a revamped version of the company's flagship open source automated testing tool for Adobe Flex and AIR. The company is calling this release "a major re-write" of the core open source tool that was driven by real-world feedback from the FlexMonkey community and Gorilla Logic's customers.
"We'd evolved the platform tremendously, and with [version] 4.19 we really hit our stride," Gorilla Logic's VP of engineering, Ed Schwarz, told me, "but we also got a lot of feedback about some aspects of it, and we realized that if we were going to take FlexMonkey to the next level, we had to do a bottom-to-top review and come out with a brand new version."
That version, code named "FlexMonkey Reloaded," had been in beta since the beginning of the year. It became the platform's main code base as of August 1.
The list of enhancements in this version is a long one. It includes more robust recording, playback and verification of all Flex UI interactions including mouse, keyboard, drag/drop and timed actions; a new graphical console for creating and editing test suites; assertions to verify results; "wait for" functions for robust interactions with internet services and different-speed devices; the ability to generates ActionScript versions of the tests that can be easily extended with additional control or data-driving logic; and compatibility with unit test suites and continuous integrations environments.
Gorilla Logic is primarily a software services firm specializing in rich Internet applications (RIAs) and enterprise app development with Java, Adobe Flex and mobile platforms. The Broomfield, Colo.-based company was founded by a group of former Sun Microsystems execs back in 2002, but FlexMonkey has only been on the market since 2008. The tool has been downloaded more than 11,000 times since then, so the company's claim that it has become "the de-facto standard in the industry" is more than marketing hyperbole.
The band of founding Gorillas includes Schwarz, who founded the global e-Business consulting organization at Sun; CEO Stu Stern, who ran the Sun Java Center, Sun's global Java professional services organization; and CFO Hank Harris, who directed Sun's Professional Services group, which was responsible for telecom accounts in North America. (And it's really "band." I looked it up.)
"When we were at Sun during those late '90s days, running Java consulting, we had access to a tremendous pool of talent, folks who were excited to work this then-new technology called Java," Schwarz told me. "We were able to hire really strong, experienced developers from all over the country. We still know those folks, and that experience is at the core of what we do here at Gorilla Logic."
In addition to FlexMonkey, the company makes FoneMonkey, a free and open source testing tool for iOS apps. The company recently released FoneMonkey 5; and FoneMonkium, a free Selenium IDE plugin that adds FlexMonkey capabilities to that tool.
"Conceptually they do the same thing," Schwarz explained. "They record and playback user interactions right off the application. Our frameworks live inside the applications, and can get tremendously robust and detailed information to the automation engine. And then they automate out to continuous integration environments so they can form the backbone of the regression test suite."
The company's efforts have been focused, at least in part, Schwarz said, by the founders' belief that automated functional testing is essential for developer productivity.
"Developers end up being able to be bolder, to do more, and to realize the value of Agile methodologies much more strongly when they have that regression-testing safety net around them," Schwarz said. "Because of that, we were driven to develop the open source tools that are central to our strategy."
FlexMonkey 5 is upward-compatible for tests recorded with FlexMonkey 4.1. The FlexMonkey development team intends to support the 4.1.x version for sustaining development for six months. To download a copy of FlexMonkey 5, click here.
Posted by John K. Waters on 08/24/2011 at 3:24 PM0 comments
There's a lot that's new in Oracle's recent release of the Java Platform Standard Edition 7 (Java SE 7), but for Martin Odersky and much of the Scala community, this release is all about its updated concurrency infrastructure -- the new Fork/Join Framework in particular, which was actually part of the JSR-166 concurrent utilities that didn't make it into Java 5 or 6. "This will no doubt further improve the performance of Scala's higher-level parallelism construct," he said in a released statement, "including its parallel collections and actors."
I recently talked with Odersky while he was in Lausanne, Switzerland, where much of the development for his company, Typesafe, takes place. The months-old commercial startup behind the open source Scala project, which Odersky created, and the open source Akka event-driven middleware framework, maintains its official headquarters in Cambridge, Mass.
The multicore support in Java SE 7 will create even more synergy between Java and Scala, he told me. "We're happy about the release in the sense that the Java platform got a much needed update, further improvements in speed, and some core and key libraries for us as well," Odersky said. "most notably the Fork/Join Framework. We have always had actors, which are built on Fork/Join, and which provide a good way to program concurrent software and distributed programs. Since [Scala] 2.9 we also have parallel collections, which are essentially the same collections as the standard collections, which are pretty nice to use. They get lots of accolades from users. And now everything can be done in parallels. Essentially better Fork/Join means faster parallel collections."
Scala, of course, is a general purpose, multi-paradigm language designed to integrate features of OO and functional programming. Odersky's brainchild runs on the JVM and is compatible with existing Java programs.
The Scala community added the Collections API in version 2.8 last year. The framework provided for the first time a "common, uniform and all-encompassing" framework for collection types. "Actors" are Scala's primary concurrency construct (concurrent processes that communicate by exchanging messages).
The Fork/Join Framework is an implementation of the ExecutorService interface that takes advantage of multiple processors. It was created by Doug Lea, the guy behind most of what happens in concurrency in Java, and it's designed for work that can be broken into smaller pieces, recursively. "The goal is to use all the available processing power to make your application wicked fast," reads the Oracle Java Tutorial.
Lea serves on the advisory board of Odersky's company, as does James Gosling (you know: the Father of Java). Odersky describes Typesafe as "the commercial arm of the Scala and the Akka projects."
"We develop the language a little bit, but that's more a community job," he said. "But we have an open source Eclipse IDE that has been progressing nicely, and a type-safe stack that consists of the Scala runtime, the SBT that's the Scala build tool, and the Akka middleware. And we support that stack typically for very large enterprises."
Odersky says the number of Scala users is growing at a slow, but accelerating rate.
"We think we have more than 100,000 [users] now," he said. "Two years ago, Scala started from nothing has gone up steeply since then. Overall my best guess is that we have about 1% of the Java market now, but that's doubling a bit faster than once a year. Once percent doesn't look like much, but when it's doubling every year, it looks pretty promising."
I asked Odersky what he would put on his Java SE 8 Wish List. He said he had two that he was sure wouldn't be fulfilled in the next release: 1) for Oracle to finally update the class-file format. "Even in the pure Java world, you'd have a good motivation to do something about that. But it's even more pressing in Scala, because Scala produces a lot of Closures." 2) a proposal called Public Defender Methods or Virtual Extension Methods, which addresses the problem that, once an interface is published, methods can't be added without breaking it. The proposal would allow for the addition of new methods to existing interfaces, and it would allow the Collections interface to take advantage of Closures.
"But I have to say that what's going to be in Java 8 is perfectly fine," he added. "It will pose no problems for us, and I'm sure we will profit directly from these improvements."
Odersky also said that he, like many in the Java and related communities, is happy to see the end of the deadlock on the Java Community Process.
"Not having a new release out for five years is certainly not something that you want," he said. "It's good that things move forward again. And I do believe that the JVM as a platform has a great future."
Posted by John K. Waters on 08/16/2011 at 3:27 PM5 comments
My inbox is positively billowing with press releases, product announcements and marketing department communiqués about the cloud. A quick keyword search of last week's pile alone turned up 400 electronic missives containing "cloud" and 175 of which contained "cloud application."
Navigating this e-mail thunderhead put me in mind of a conversation I had with David Intersimone earlier this year. Intersimone is vice president of developer relations and chief evangelist for tool maker Embarcadero Technologies. Better known as David I, he worked for more than two decades at Borland, the company that invented the IDE, then CodeGear, the company that emerged from Borland's decision to shed its tools business. I caught up with my favorite programming guru during his latest trip down under to visit the Australia Delphi Users Group (and to get in a bit of scuba diving in).
Intersimone believes it's time we dropped modifiers like "cloud" and "Web" from the application developer lexicon.
"When something is new, people feel compelled to add a qualifier, descriptor, locator or container around it to set the context," he said. "But eventually, when it's not new anymore -- or meaningful -- do we still need to keep the qualifier? Desktop applications, client/server applications, rich Internet applications, Web applications, cloud applications -- ultimately for the developer, they're just applications."
From a marketing standpoint (or as a way of explaining trends early in their evolution) those qualifiers are understandable, Intersimone allowed, but they're essentially meaningless to developers -- and are potentially limiting.
"As a developer, what do I do?" Intersimone said. "I build a user interface. I might talk to databases. I might use some APIs -- and nowadays I don't care if that API is a Google Maps API, a Facebook API, a Windows API or whatever. All you're doing is calling through REST or HTTP or TCP or calling remote functions, passing parameters in JSON packets and getting data or metadata back. And from a programming standpoint, I don't really have to think, 'oh, I'm building a rich Internet application.' Do I use Silverlight or SVG or Flash... I don't even think about that anymore. They're all just reusable objects and reusable APIs to me."
The result, Intersimone says, is artificial limits that might seep into the developer mindset.
"It's OK to say, 'I'm building a rich application, or I'm building a data visualization application, or I'm building customer billing application.'" "Those can be useful descriptions. But when you add qualifiers, whether its 'cloud,' 'Internet' or 'Web,' it's just about the specification, so somebody knows what it runs on. We don't have to be locked into one way of building a beautiful application. I'm just saying that we should remember that."
David's blog, "Sip from the Firehose," is a worthy addition to your online reading.
Posted by John K. Waters on 08/12/2011 at 3:28 PM1 comments