JavaOne 06 DayTwo

The streets are gray and foggy, and there's a brontosaurus-sized crane parked in the middle of Howard Street loading a 15-ton hunk of the Titanic into the Metreon Center.

It must be Day Two of JavaOne .

Who thought it was a good idea to block two, and sometimes three lanes in front of Moscone during one of the biggest tech conferences of the year? Of all the idiotic... but that's another story.

It's easy to blow off late-in-the-day events at tech shows, but I stuck around today for what was billed as ''The Bill Joy Panel on Software Security.'' It was held at the W Hotel, and it was well worth the wait.

Sponsored by Fortify Software, the panel focused on what I have been convinced is the industry's core security challenge: the applications themselves. It included Dr. Bill Pugh, professor of computer science at the U of Maryland and founder of FindBugs ; Dr. David Wagner, prof of computer science at UC Berkeley; and Dr. Gary McGraw, CTO of Cigital and author of Software Security: Building Security In (great book). Fortify's young chief scientist, Dr. Brian Chess, was slated for moderator duties, but the new dad arrived late, so CTO Roger Thornton manned the lectern. Fortunately, Chess joined the panel.

But it was Joy—Sun Microsystems' co-founder and chief scientist, rockstar programmer, co-designer of three microprocessor architectures [SPARC, picoJava, and MAJC], and augur of a frightening future (Hey, who wasn't scared by that Wired story about the rise of the robots?)—who was the panel's star attraction. Joy told me that this would be his only stop at this year's JavaOne, and he remained cheerfully unaffected by opening jibes from the panel and the audience about his hair.

Everyone on the panel agreed that modern developers must accept greater responsibility for security, and they offered the following bits of security-guru wisdom for Java jocks:

McGraw: ''When I began writing about security back in 2000, we were just trying to establish a philosophy, to get the message across that software builders need to think about security. We're past philosophy now. We've got to start talking about simple, concrete things that developers need to do to make their applications more secure, and we've got to start holding them accountable if they don't do those things. We can do it. The time has come.''

Thornton: ''We can focus on security strategies that try to catch the things out there attacking our software—firewalls, intrusion detection, antivirus—or we can make our software stronger so that those things can't harm it. The software that's out there today was made without an awareness of current vulnerabilities. But from this day forward, if there is a single development team anywhere on earth that's making code that'll be accessed by more than 12 of their best friends and they don't build it to stand up to attacks, they are either incredibly ignorant or completely negligent.''

Pugh: ''A lot of people think that errors, defects, and stupid mistakes are sins that the lesser programmers commit. But I have used automatic tools to find insanely embarrassing bugs written in production code by some of the very best programmers out there. People think that because they have 'smart' employees and good a development process that they're not going to have stupid bugs. But everyone makes stupid mistakes. They just happen. The question is, what are you do to find and eliminate them.''

Wagner: He cited some disturbing (though not that surprising) statistics: 80% of home users' computers are infected with spyware; the mean time to infection of an XP-based machine taken out of the box and added to an unprotected network is 15 minutes. ''It's clear that the hackers are getting better at exploiting vulnerabilities than we are at defending against attacks. We're loosing the security battle right now. We're falling behind, and we need to step up our game.''

Chess: He offered a corollary to his favorite Bill Joy quote (''Most of the smart people in the world don't work for you.'') ''Most of the smart people in the world might not even be on your side! If you think about what hackers are going to do to your software, they're basically going to test it for weaknesses—essentially the same thing you do when you test it. The difference is, they have more clock cycles to do that with than you do. You have to release your software, and then it's out there, potentially forever. So, if you use the same techniques that the bad guys are using to attack your software, inevitably you are going to lose. You've got to do something different. You've got to build your software in a way that takes that advantage away from the attackers.''

Joy: ''It's important to know which things are abundant and to use them to make up for the things that are scarce. What's abundant right now is processor speed and memory; what's scarce is the ability to get to what I used to call the it-works option—to actually finish and debug code. So it seems to me that we should be using languages and tools that let us produce more reliable and secure software, over things that might run a little faster and take up less memory.''

AJAX is the buzzword of this year's show, so I asked the panel members what they thought of increasingly popular combo of Asynchronous JavaScript and XML. They gave the new Web development technique a collective raspberry. Wagner summed it up this way: ''JavaScript is a disaster from a security point of view, but we're stuck with it at this point. AJAX means more JavaScript, which is just going to perpetuate the problem.'' Chess added: ''I see shifting to more lines of JavaScript as revisiting a bunch of security problems that we've been trying to stamp down over the past 20 years.''

They did allow that JSR 223, which seeks to improve interoperability between Java and scripting languages, held some hope.

I hate to admit it, but my favorite part of that discussion came when Joy took responsibility for naming JavaScript, a vexing misnomer of Netscape's implementation of ECMAscript, which has little in common with Java. ''The Netscape guys called me on the phone when I was in San Francisco on a family outing,'' he said ruefully. ''They were in a panic, and they wanted to use the name. I wasn't thinking when I said yes.''

Before the panel convened, I button-holed Fortify's VP of products, Mike Armistead. Fortify is one of two stand-alone security firms with booths at this year's show (the other is Symantec), and it's the only one focused on application security. Armistead thinks the new emphasis on enterprise Java is making Java jocks more security-minded. ''We're getting a lot of leads,'' Armistead told me. ''If we had been here last year, I think people would have just blown by the booth. But this year, they're coming up to us and saying, we really need to talk with someone about security.''

That's good news.

BTW: Check out Gary McGraw's Silver Bullet Podcast interview with Avi Rubin, professor of computer science and technical director of the information security institute at Johns Hopkins University. Rubin is the guy who revealed the glitches in the Diebold electronic voting machines back in '03.

I'm off now to get a look at the chunk that sunk—and impeded traffic all day!

More tomorrow.


About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].