It took 18 months, 155 releases, and the efforts of hundreds of contributors to get here, but version 1.0 of GitHub's Atom text editor is now available. First released to open source in May 2014, Atom is a customizable, cross-platform text editor built with HTML, JavaScript, CSS and Node.js integration. It runs on the Electron framework, and it works on OS X, Windows or Linux.
It's an understatement to say that this "hackable text editor for the 21st century" has proved to be popular. Since it was released last year, Atom has been downloaded 1.3 million times, GitHub says, and it now has 350,000 monthly active users. That sizeable community has to date created 660 themes for the editor and 2,090 packages. And some big names have added Atom to their enterprise tool belts, including Facebook, which based its new, open source Nuclide IDE on Atom.
What makes Atom such a great innovation for developers? Let's start with the "hackable" part.
"Your dream editor and my dream editor are not the same thing," GitHub senior engineer Ben Ogle, a core engineer on the Atom project, told me. "I like a dark theme; you like a light theme. I write front-end code for websites; you write system code. We should not have to use the same editor. What we want at GitHub, and what Atom gives you, is total control over the editor so you can make it your dream editor."
In other words, developers can tweak Atom's look and add features that suit their individual needs.
"We want you to feel empowered to dig in," Ogle said. "That's why we built Atom on familiar technologies. You won't need to learn something new like you would if you were to, say, extend Emacs. "With Atom, you can use the knowledge you already have."
And the "21st century" part?
I think that was best explained to me last year by Nathan Sobo, a founding member of the Atom team.
"Now that we're in this polyglot world, you'll notice that whenever a new programming language starts to emerge, the first tools available for it are always Emacs and Vim," Sobo said. "It always starts with this very general purpose editor that someone has extended to make themselves more productive in this environment. So we developed Atom is to provide a tool that accelerates that process. A new language comes along and very quickly people can build fantastic tooling around it without having to wait for some business to get started that needs a guaranteed capital flow to build a customized product around that language."
Atom is the brainchild of GitHub founder Chris Wanstrath, who, the story goes, began experimenting with a desktop editor based on Web technologies back in 2008. He called it "Atomicity," and worked on it as a side project, until it was shelved in 2009 while he focused on the launch of GitHub.com. Wanstrath later revived the project, which evolved into Atom.
GitHub looks at Atom 1.0 as a foundational release that will support a burgeoning community, Ogle said. "We focused on the core editing experience and modularity [in Atom 1.0]," he said. "Now we have this giant community around us, with tons of core contributors. Lots of them have push access, but don't work at GitHub. It's getting to the point where we're really just shepherding the community," he said.
How does Atom fit into GitHub's overall social coding mission?
"It's called social coding, but what that means is that our mission is to help people work better together," Ogle said.
"Atom is part of that mission, long term," Ogle said. "We're defining the base with this release, but down the road we will be asking, what does it mean to have social coding in your editor? Editors are, historically, very individual things with no social component. What we're thinking about is how we might bring the social ideas from GitHub into your editor."
And in case you're thinking that the release of a new text editor, no matter how "hackable" and "21st century" it might be, is small potatoes, consider this insight from my interview with Sobo: "There is no more personal relationship that a programmer has to anything in his or her career than to their text editor," he said. "It's literally in the muscles of your hands! Even as you're crossing programming languages, the text editor is the one thing that can go with a developer for their entire career."
Ogle put together lots of details about the Atom 1.0 release, including lots of links and a more complete history, in a great post on the GitHub blog.
Posted by John K. Waters on June 26, 20150 comments
I knocked on quite a few doors last month, looking for Java mavens to talk with about the language on its 20th birthday. Lots of people got back to me (I think they got tired of the banging), and I heard some great stories. But I was surprised that, to my first question -- "What has been the most significant change in the Java language and/or platform in the past 20 years?" -- no one answered, "Open sourcing Java." It's probably the way I phrased the question, but I remember Java jocks clamoring back in the day for Sun to release their beloved language under an open source license.
Onno Kluyt, who chaired the Java Community Process (JCP) from 2002 until he stepped down in July 2006, helped build the OpenJDK community and, as he puts it, "held the JCP together while we were doing the open sourcing and building that other community." I asked him the question I should have asked: "How important was the open sourcing of Java?"
"Looking back on it, it was too little too late," Kluyt told me via e-mail. "Linux was already very well established, and Android had happened. If Sun had open sourced Java two or three years earlier, some of the history might have played out differently. But the Microsoft lawsuits made that timing impossible."
You might remember that Sun sued Microsoft for $35 million in 1997, claiming that Microsoft breached its contract by trying to extend Java so it would work differently, and, MSFT argued, perform better, on Windows computers. They didn't settle until 2003. Three years later, Sun released quite a bit of Java under the GNU General Public License (GPL), and a year after that, finished the job.
You might also remember that Kluyt took some heat in 2003 for asking the community, "What do you think [the open sourcing of Java] does that people can't do today?"
"There were a lot of misconceptions about what Sun's license for Java before the open sourcing (SCSL) allowed or didn't allowed you to do," Kluyt explained. "It was a lot of more open and lenient than most developers were aware of. And so I asked that question a few times during developer events to get a discussion going about what developers felt they needed to do with the code base, what they wanted to do, and of those things what they believed they couldn't do now. To some extent Sun's open sourcing of Java was a symbolic act. It didn't really mean a change of heart about code contributions from the outside [or] a loosening of its grip on the core APIs. Put the code base under a well-known free and open source license and move on."
So, what was the most significant change?
"Over this time span that is a little difficult to answer," Kluyt said. "I would probably pick the HotSpot VM technology and the concurrency APIs, which together gave Java near-native performance and enabled large-scale, real-world deployments. But there are so many others: generics, closures, the added byte code making it much easier for other programming languages (Scala for example) to run on top of the JVM, servlets, JSPs.
What it is about the JCP that has allowed it to continue supporting Java in all its forms?
"Internally we often paraphrased Churchill: it's the worst kind of governance except for all the alternatives," he said. "Java has one inventor and one owner: first Sun and now Oracle. But it has interest from companies large and small beyond that one actor. And there were and are many great opinions and expertise outside Sun/Oracle on how to evolve it. In the JCP, Sun found a tolerable way to allow that outside influence, while keeping its seat at the head of the table. Sun could not, and now Oracle cannot, push through Java changes without some decent support from its competitors, and conversely, those competitors cannot push through significant change without some buy-in from Oracle. So both sides need each other. It came close to blowing up about two or three times but in the end: see Churchill's quote."
What is it about Java, the language, that has allowed it to evolve and thrive all these years?
"One half is the language; the other half is the platform, the virtual machine," he said. "Java was the first well-adopted language that had security and networking built in, that had a memory management model that shielded developers. Its syntax was easy to learn for C/C++ developers, its OOP concepts were easier to grasp than Smalltalk, and it made supporting multiple platforms significantly better than anything else around. Sun was also luckily with the adoption of Java in that its timing was great; the World Wide Web was just emerging and Java's characteristics happened to lend itself very well for that."
How important was the development of the Java platform?
"Maybe I'll answer it this way," he said. "No Java, no Android."
More on This Topic:
Posted by John K. Waters on June 9, 20150 comments
More on This Topic:
Java turned 20 last week and I've been talking with Java mavens and industry watchers about the history and current state of the language and platform at the end of its second decade. I was especially glad to hear back from Patrick Curran, who has served as the chairman of the Java Community Process (JCP) since 2007. He worked at Sun for 15 years before that, where, among other things, he led the Java Conformance Engineering team in Sun's Client Software Group. That group was responsible for developing Technology Compatibility Kits (TCKs) for Java SE and Java ME. (There was a separate team for Java EE.)
When he was at Sun, Curran reported to Onno Kluyt, who was the previous chair of the JCP. "Onno wanted to move on to other things," Curran told me, "and he passed the job on to me."
The JCP, of course, is the standards-development organization for Java. That group has gone through some significant changes of its own since Oracle acquired Sun in 2010, including a multi-year effort to reform its governance and processes with such initiatives as JCP.next, and the merging of two JCP Executive Committees. The organization is now wrestling with the challenge of revising the Java Specification Participation Agreement (JSPA), which Curran has called "big and scary."
I talked with Curran via e-mail.
Waters: What has been the most significant change in the Java language and/or platform in the past 20 years?
Curran: I'd nominate the introduction of Generics in Java SE 5 as the most significant language change, since this enabled the creation of a type-safe collections framework. As for the platform, the use of annotations in Java EE 5 greatly simplified the programming model by eliminating the need for XML descriptor files. Looking forward, I believe that the introduction of modularity in Java SE 9 will also prove to be extremely significant, quite possibly in ways that we cannot currently predict.
Waters: The JCP is a little younger than Java itself, but it has seen some significant changes of its own since it was establishe -- in the past few years especially. You have told me that its core mission has remained intact, and that those changes were made to better fulfill that mission. But Java has come such a long way from its webby, applet-making origins to become an essential enterprise technology. I guess I'm wondering what it is about the JCP that has allowed it to continue supporting Java in all its forms.
Curran: The strength of the JCP is the fundamentally simple model of a group of interested experts defining specifications through a formal process that includes public review and oversight by an Executive Committee (EC). The process has always been flexible enough not to define exactly how the Expert Groups should do their work. This has permitted a natural evolution (with a little help and direction from the EC in the form of revisions to the Process) from the early days of relatively private deliberations by representatives of large corporations to the current, much more open and collaborative model. It's a Community Process, and that's its strength.
Waters: What is it about Java, the language, that has allowed it to evolve and thrive all these years?
Curran: Its simplicity, ubiquity -- thanks to the wide availability of virtual machines -- and its compatibility (Write Once Run Anywhere).
Waters: How important was the development of the Java platform?
Curran: It's difficult to over-estimate the importance of the Java platform. Basing it on the Java Virtual Machine, which could be (relatively) easily ported to different hardware and OS environments, made it possible for the first time to develop applications that, in turn, would run in all of those environments. Before Java, it was difficult if not impossible to port programs between environments. Now it's no longer necessary, and we can run identical programs on everything, from the smallest embedded processor to the largest supercomputer or cluster.
Waters: I know this is tricky, but who, besides James Gosling, makes your list of the most important figures in the evolution of Java?
Curran: Rather than call out a small number of people I'd prefer to recognize the very large number, many of them anonymous or certainly not well-known, who have helped to make Java what it is today through their participation in the JCP and in open-source development projects. Java has been successful precisely because of the collaborative way in which it has been developed. James Gosling started it, but it's the community that has developed it and made it successful.
Posted by John K. Waters on May 29, 20150 comments
More on This Topic:
It has been 20 years since the first version of Java was released to the public, and according to the TIOBE Programming Community Index for May, it's still the most popular kid in school. As I mentioned in an earlier post, Oracle is marking the anniversary with a Web site with lots of links to articles and video clips. Definitely worth a visit.
I've been talking to Java mavens about why, despite licensing controversies, seemingly endless security challenges and the rise of languages like Node.js, Python, Google Go and JavaScript (which apparently also turned 20 this month), Java continues to win so many hearts and minds.
RedMonk analyst Stephen O'Grady said the design of the language offered key development advantages over closer-to-the-metal languages like C or C++, which ensured Java's initial relevance. But the key to Java's longevity has been the widespread industry support it has enjoyed. "By serving as common ground between large industry competitors and a sea of enterprise applications," he said, "Java reached the critical mass that granted it a role of importance and kept it evolving along the way."
O'Grady also agrees with Kim Polese, whom I interviewed in Part 1, that the adoption of Java syntax for the Android platform was a key step in ensuring the language's relevance for an entirely new class of developer.
"The development of Java, which began its life as set-top box OS, has been tremendously important for the technology industry," he added. "It has been an enterprise standard for decades, is the common denominator among many Big Data platforms and is unofficially the language used to write huge numbers of mobile applications. That's a solid track record." (If you're not reading O'Grady's tecosystems blog, you should be.)
IDC analyst Al Hilwa pointed to Java's ability to address both server and cloud back-ends and desktop, mobile and embedded devices as critical to the language's longevity. He also cited the maturity and scale of the language after continuous improvement, and a good system of governance.
"Java offered one of the first machine abstracted technologies that minimize the sacrifice to performance," Hilwa added. "This abstraction allowed the technology to be portable and also much easier to develop high quality code compared to technologies like C/C++, which are much closer to the machine. That an ecosystem developed quickly around Java in the mid to late 1990's by a number of large vendors, most notably IBM and Oracle, essentially closed the deal and elevated it above any alternatives."
Eclipse Foundation executive director Mike Milinkovich looked back to the support of inner classes in Java 1.1 as a milestone in the evolution of Java, followed by lambdas in Java 8, and the inclusion of the invokeDynamic bytecode in Java 7. But the most significant change for Java, he hastened to add, is probably the most anticipated since lambdas: modularity, which is coming in Java 9. Those other developments "pale in comparison," Milinkovich said. "That is, in my mind, the biggest change to both the language and the platform since its inception."
I also asked about the importance of the development of the Java Platform, and Milinkovich made a fascinating comparison.
"A lot of people hate it when I say this, but Java is this generation's COBOL" he said. "I mean that in an entirely positive way. Java is the programming language that runs an entire generation of enterprise and industrial infrastructure. And just like COBOL, that means that it will be around for many decades to come. But what is even more fun is that innovation and invention continues both in the Java platform and language, and on top of Java in the ecosystem. The combination of being firmly entrenched as the de facto infrastructure language, but with continuing innovation, makes Java the language and platform that matters now and for many years to come."
I touched base with the ever insightful Wayne Citrin, CTO of JNBridge, who argued that the most significant change in Java was the shift in emphasis to the server-side after Sun realized that the original client-side emphasis (set-top boxes, applets in browsers, rich-UI applications) wasn't getting enough traction. "While client-side Java is still worked on," he said, "and new features are being introduced, most attention—and the effort of developers—has long been on the server side."
But he also pointed to managed code and runtimes. "Managed code and runtimes have been one of the most important developments of the last 25 years," Citrin said, "and Java was the first really popular language with a true managed runtime. It showed that managed runtimes were practical for real-life applications. I know there's a move in some quarters back to native runtimes, but I think this is an accommodation to some specialized areas, such as gaming and underpowered mobile devices, but this is a temporary situation, and I suspect those areas will eventually start using managed runtimes, again, too, since they're so much easier to develop for."
I also checked in with jClarity CEO Martijn Verburg, who sees the Java Virtual Machine (JVM) as the secret behind the enduring power of Java. "Even when it waned in popularity for the couple of years, the JVM is so compelling that developers have stuck with it, and now, of course, the language is finding its mojo again," he said.
I asked Verburg what he saw as the most significant change in the language/platform in the past 20 years, and he pointed to Generics, which he said had both a good and not-so-good impact. "It guided developers towards increased type safety for objects as well as primitives," he said, "which vastly improved the safety of much code that came out of enterprise Java shops. However, due to the mismatch with the primitive type system, there have always been significant cracks in the Generics implementation, which will still take one to two more iterations of Java to fix."
Verburg also sent me his "media quote," which I think is worth sharing, because it summarizes the state of Java well: "Java directly or indirectly touches just about every human on this planet. It is the glue that allows mobile health and banking in remote areas of the world, entertains millions with games such as Minecraft, and drives the economic engine of our global markets."
In case I haven't said it already, Happy Birthday Java.
Posted by John K. Waters on May 26, 20150 comments
More on This Topic:
Unless you've been coding in a cave you know that Oracle is marking the 20th anniversary of the release of the first version of Java for public use, which happened on May 23, 1995. Big O has set up a nice Web site with lots of links to articles and video clips commemorating "20 years of Java innovation." If you haven't checked it out, you should.
I've talked with a bunch of people this week about Java's big birthday, including the person credited with naming it. Twenty years ago, Kim Polese served as the original product manager for Java at Sun Microsystems. She left the company in early 1996 to found Marimba, one of the first Internet-based software management companies, with former Sun engineers Arthur van Hoff, Jonathan Payne, and Sami Shaio. She later served as CEO of SpikeSource, an automated software testing company acquired by Black Duck in 2010. She is currently the chairwoman of ClearStreet Inc., a social finance startup focused on "helping people eliminate debt and achieve long-term financial health," and CrowdSmart, which enables university alumni and students to "collaboratively engage, support and profit from alma mater startups."
When it was 'Oak'
Polese spent about seven years at Sun, during which time she worked on the overall development and promotion of the Java brand, including its business strategy, licensing model, marketing communications, and developer evangelism. She first saw Java (then called "Oak") at an internal Sun conference.
"I got a sneak peek of Oak on a device called the Star 7, which had been created to demonstrate the vision behind the language," she told me. "At the time I was the product manager for C++ and object oriented technologies at Sun. Once I saw Java and I realized it's power, I came on board as the product manager."
When it was originally conceived, Java was called a "Green" or "Project Green," depending on whose memory you trust, and Sun actually spun out a separate, wholly owned organization to tackle it. That organization was called FirstPerson, Polese recalled.
"We were housed in a different location from the mothership, in downtown Palo Alto, at 100 Hamilton Ave., which is where Palantir is now," Polese said. "Very few people at Sun knew we existed."
In her new role, Polese's responsibility was a daunting one: to make Java ubiquitous. "I remember feeling the enormous responsibility of my job, because I knew well the potential of this technology," she said. "On the team, our goal was simple: ubiquity or go home."
Former Sun CEO Scott McNealy had begun proclaiming that "the network is the computer" back in the late 1980s, but even by the time Java debuted, the network -- the Internet -- was still limited and primitive.
Way Ahead of its Time
"Java was a language that was designed for a future networked world didn't exist back in the beginning of the 90s," Polese said. "The World Wide Web and Mosaic were infant technologies back then. Quite simply, Java was way ahead of its time."
And yet, it would be Java's role as a tool for building Web technology that initially defined the language. In those early days, Java was all about applets, Polese said.
"Up until we released Java in May 1995, Web pages could only contain static text," she said. "You could only hyperlink to other Web pages containing static text. Java brought interactivity to the Internet. For the first time you could actually run little applications -- "applets" -- in Web pages."
Before Java was released to the world, Sun worked with individual developers at companies, universities and research institutions, encouraging them to write the first applets to provide more than a tumbling Duke animation, Polese recalled. The idea was to demonstrate Java's power.
"These were some very exciting examples that, when people saw them for the first time, made clear the power and potential of Java," she said. For example, one developer from Lawrence Livermore Labs created an app that displayed the image of a human body; when you moved the cursor over the body you would see MRI slices generated in real time. This app pointed to the potential for doctors to collaborate to diagnose diseases remotely. Another applet from a developer at a Wall Street firm was a spreadsheet calculating the value of an individual's net worth based on their stock portfolio, again, in real time. This pointed to the potential for applications in financial services. These were just a couple of the early examples, but they were critical in demonstrating to the world the power and potential of Java when it was released."
Ultimately, Java's first decade would be about enterprise applications and enabling the first generation of the commercial Internet, Polese said. Not surprisingly, her first company, Marimba, pioneered enterprise application deployment and management based on Java.
"For the first time, companies could develop and deliver platform-independent enterprise applications and remotely manage them to any desktop or device inside or outside the firewall, securely and reliably," she said. "This was a huge breakthrough for enabling the ubiquitous adoption of the Internet as a platform for doing business."
Nearing Ubiquity
Now at the end of its second decade, Java isn't exactly ubiquitous, but it's a lot closer -- thanks in no small part to the advent of the Android OS, Polese said. "Java was designed for a future world in which a ubiquitous network would connect us all to each other and to unlimited numbers of devices and embedded systems," she said, "a network that would also connect those devices to each other (a.k.a. the Internet of Things.) With Android, Java is now in billions of devices, and this vision is being fully realized."
So, how did Java get its name? "Oak" (from a tree outside Gosling's office) was popular internally, but Polese felt that the fledgling language needed a moniker that conveyed the idea of waking up the Web. Two brainstorming sessions produced several possibilities, including "Ruby," which would have stood for Runtime Bytecodes, and "WRL" for Web Runner Language. (Web Runner was the name of the browser before it was called HotJava.) "Java" emerged from a riff on the word "caffeine," Polese said.
"We were bringing interactivity to the Web pages," she said, "essentially waking them up with the introduction of applets, so I thought Java would be the best name. But that was not a unanimously held view on the team. In fact, when I held a vote, there was no clear winner. In the end, as product manager, it was my responsibility to choose the name, so I went with Java. I then asked Eric Schmidt, who was running the team at the time, for his thumbs up, which he gave. We had Mark Andersen Design create the logo, and Java turned out to be one of the iconic and enduring brands of the Internet and the connected experience."
More of my conversations with Java mavens about the language and platform at 20 in Part 2.
Posted by John K. Waters on May 22, 20150 comments
It's probably the most popular development tool you've only kinda-sorta heard of. Oracle's Application Express (APEX) rapid Web app development tool has been around for more than a decade in one form or another, and it enjoys enormous popularity within the Oracle community. The latest incarnation, APEX 5, was released last month. The company spent two years and seven months re-engineering the tool, and according to its creator, Michael Hichwa, vice president of Oracle's Software Development group, it was time well spent.
"This release took us a lot longer than usual," Hichwa told me. "In fact, it was the longest period between updates in the history of APEX, and it included three beta programs. We had a bigger objective this time, and we wanted to get it right."
Hichwa has been leading the APEX team since he developed the tool in 1999. Back then, it was really just him, but today there's a team of about 18 developers working on the tool, he said, and a community of about 300,000.
That number may not seem that high when compared with the communities of Java or PHP developers, but they are a devoted bunch. "From the beginning, we've been community-based," Hichwa said. "We get our momentum and excitement primarily from the community, not from Oracle. In fact, our best conferences are run by our user communities."
Formerly called HTML DB, APEX comes with all Oracle databases, starting with Oracle 11g, and is installed by default as part of the core database install at no additional cost. It's a browser-based environment "that combines the qualities of a personal database, productivity, ease of use, and flexibility with the qualities of an enterprise database, security, integrity, scalability, availability and built for the Web," the company says on its Web site.
The tool is popular in IT departments among those running ERP and CRM applications; they use it to extend and fill gaps. But in recent years, APEX has gained traction for line-of-business development -- sales, finance, procurement and so on. "They all have their particular needs for automation within their business groups," Hichwa explained. "Because APEX has a lower bar, technically, business-area experts who are not full-time professional developers, but who are technical, can use it. These are people who can get their heads around a SQL statement and understand the data model. APEX allows them to create a high-quality Web application quickly, without having to dive deeply into the computer science realm."
Hichwa, who, even after more than 10 years on this project, was fairly bursting with a genuinely infectious enthusiasm for this release, said that more books have been written about APEX than any other Oracle technology (20 books, by my count). Expect to see a lot more later this year covering APEX 5. "We'll be writing a few of them ourselves," he said.
APEX 5 is brimming with enhancements, including Universal Theme, an all-new UI for APEX apps. It's simpler than previous themes and more easily customizable, and it addresses the growing need to build modern, responsive, sophisticated apps without requiring expert knowledge of HTML, CSS or JavaScript, Hichwa said. The new UI also includes a new color palette; icons for easy, visual identification; intuitive workflow-based menus; and improved keyboard and accessibility support.
This release also comes with Page Designer, a new IDE designed to enhance developer productivity for prototyping, design, development and maintenance of APEX apps. The IDE provides a drag-and-drop interface for rapid development of app pages. And an enhanced code editor provides SQL and PL/SQL validation with inline errors, auto completion, syntax highlighting, search and replace with regex support, and undo and redo support.
The list of enhancements also includes new a mobile reporting capability; support for modal and non-modal dialogs; a new calendar; and a collection of Packaged Applications -- 19 APEX apps that can be used out-of-the-box and are supported by Oracle.
A complete list of APEX 5 enhancements and details can be found here.
Posted by John K. Waters on May 11, 20150 comments
Things have quieted down quite a bit on the Java security front during the last year or so. Rare these days are the heart-stopping revelations of zero-day vulnerabilities; and fewer are the grumbling editorials about the lack of end-user update hygiene. (Although, as far as I'm concerned, that issue is still quite grumble-worthy.) Oracle's click-to-play feature was at least partly responsible for a 2014 in which there were no major zero-day Java vulnerabilities discovered and exploited in the wild.
Which is great, but not the end of the Java security story. As long as Java's enormous popularity in the enterprise continues, it's going to be an alluring target, Java security expert John Matthew Holt reminded me recently.
Holt is the CTO of Waratek, a company specializing in Java security, so you could argue that he has vested interest in Java insecurity. But he's right to point out that the Java stack has more than one layer. Even if you manage to keep up with Oracle's patch schedule for the Java platform layer, you still have to deal with the app server layer, the libraries and the business logic. And update schedules vary. For example: Oracle releases Java security fixes on the Tuesday closest to the 17th day of January, April, July and October; Apache releases Struts patches every 72 days.
"I give great credit to Oracle for addressing the vulnerabilities in the Java Platform layer," Holt said. "That's kind of a never-ending battle. Even if an organization manages to keep up with the Java security fixes, the vulnerabilities shift to somewhere else in the software stack."
For example: By my count, there have been 10 Struts vulnerabilities reported over the past two years with a CVSS rating of 9 or 10, which is very high and marks them as critical.
Holt is an enthusiastic proponent of Runtime Application Self Protection, or RASP, which Gartner has defined as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Holt's company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).
"RASP is something very different," he said "We've never had a tool that lives inside the runtime and has the benefit of real, accurate, actionable intelligence about what the application is doing."
Holt's Dublin-based company also recently unveiled its new security technology I wanted to mention called the Taint Detection Engine, which is designed to detect and block SQL Injection attacks without generating false positives or relying on heuristics. The Taint Engine (Pipe down you snickering fifth graders!) is part of the company's AppSecurity for Java product.
As I'm sure you know, a SQL Injection involves inserting malicious SQL statements into an entry field for execution. A successful attack can, among other things, read and modify sensitive data and execute administration operations on the database. Depending on which analyst to pester until he/she emails you back just to shut you up, SQL Injection is responsible for as much as 80+ percent of the records stolen in hacking incidents. It's often at the top of most wanted list at OWASP and the SANS Institute. (OWASP has published a "Cheat Sheet" on SQL Injection that's worth reading.)
"It's insidious," Holt said. "Developers can download these kinds of libraries easily, and incorporate them into their applications. Their managers are happy because they delivered the product on time, but they've got all this code that the organization didn't write, didn't put up to a static analysis tool, didn't get results from, and hasn't been reviewed."
The AppSecurity for Java product performs transparent taint detection and validation of each character in a SQL query in real-time within the JVM. It's a cool product and worth investigating. Waratek went to SaaS and software security consultancy BCC Risk Advisory to have the above claims independently verified. Here's a link.
Posted by John K. Waters on April 8, 20150 comments
JFrog has joined the ever-expanding Docker ecosystem with new support for the container technology in its Bintray distribution-as-a-service (DaaS) platform. Developers use the popular platform to publish, download, store, promote, and share open source software packages.
I think it's fair to call Bintray "popular," because it won a Duke's Choice Award at JavaOne, and it's currently serving 125,690 packages in 39,981 repositories. Then there's the sexy customer list, which includes Apple, Netflix, Twitter, and Oracle.
The France-, US-, and Israel-based JFrog bills Bintray as a self-service platform that gives developers full control over their published software and how it's distributed. Fred Simon, JFrog's cofounder and chief architect, described Bintray as a "seasoned cloud platform," when I Skyped with him earlier this month. "Thousands of developers and DevOps teams use Bintray," he said.
The added Docker support in the new version makes it possible for organizations to create an unlimited number of private Docker repositories, Simon explained. The platform uses the Akamai content delivery network to decrease the download time of large Docker repositories, which speeds up DevOps efforts, he said.
Bintray works hand-in-glove with the company's flagship product, the cloud-based Artifactory binary repository manager (another Duke's Choice winner). Artifactory was one of the first binary repository management solutions. It integrates with the open-source Jenkins continuous integration (CI) server, Atlassian's Bamboo CI, JetBrains' TeamCity build and CI server, the Gradle and Apache Maven project automation tools, and the NuGet package manager for .NET, among others.
JFrog announced support for private Docker Registries in Artifactory last November. The Bintray support was an inevitable next step, Simon told me. "Artifactory is there to aggregate and manage the containers that you are creating, managing, or using; Bintray is really the place to publish and distribute those containers," he said. "You now have an end-to-end solution for many binary or package types."
The company's CEO, Shlomi Ben Haim, called support for Docker "a natural progression of JFrog's mission to provide agnostic, enterprise-grade support for every stage and aspect of code development and deployment."
JFrog launched a new commercial version of its Bintray last year. Bintray Premium supports "premium repositories," with unlimited storage and downloads, full download stats, access control, and download tracking, among other features.
JFrog is just the latest toolmaker to join in the warp-speed expansion of the Docker ecosystem. Containerization and microservice architectures are gaining serious traction in the enterprise, because container-based infrastructures continue to make life easier for the developers who adopt them. As the every insightful IDC analyst Al Hilwa puts it: "The level of ecosystem support Docker has gained is stunning, and it speaks to the need for this kind of technology in the market and the value it provides."
Posted by John K. Waters on March 25, 20150 comments
The San Francisco EclipseCon saw some interesting product/project announcements. From the Foundation itself came the milestone releases of two key IoT projects: Paho 1.1 and Mosquitto 1.4. They were actually released ahead of the conference, and I reported on them here. I wanted to highlight some other announcements to come out of the conference.
The Xtext project released version 2.8 of its open source framework for developing programming languages and domain specific languages (DSLs) at the show. The Xtext project combines a generic DSL infrastructure with an editor and a code generator written in Xtend, a Java dialect that compiles to Java 5-compatible source code, which means it can use existing Java libraries. Xtend is now a stand-alone Eclipse project.
The latest release of Xtext, which will be part of the Mars release train in June, comes with 180 bug fixes and big performance improvements, and a bunch of cool new features. It's a long list that includes new support for whitespace-aware languages, such as Python; grammar editor enhancements; new options for language code generation, including the ability to specify annotations to be added to each generated Java class; support for a new version of the Xbase compiler that allows developers to configure the Java version of the generated code; a new Java-to-Xtend converter; and a new formatter API.
The complete list of changes in Xtext 2.8 is available in the release notes.
Java toolmaker ZeroTurnaround released its Optimizer for Eclipse at the show. The free Eclipse plugin is designed to detect and fix common performance hiccups and configuration problems associated with the Eclipse IDE. The company is addressing what it sees as a common problem for Java developers, most of whom use the Eclipse dev tool.
"What Java developer hasn't, at some point in time, thought 'Wow, my Eclipse is really slow today?' " asked Jevgeni Kabanov, founder and CEO of ZeroTurnaround, in a statement. "We wanted to make coding in Eclipse more enjoyable by taking away the developer frustrations of a slow environment. We like to think of Optimizer for Eclipse as a jetpack for your Eclipse environment."
The plugin performs checks on configuration issues that negatively affect "the IDE user experienc" -- everything from insufficient memory allocation to class verification overhead, excessive indexes and history to lengthy build and redeploy times. Users can set the plugin to fix the type of problem automatically to speed up the performance of the IDE. It can also suss out a slow JDK and let users know if their IDE is out of date.
Codetrails announced the alpha release of its very cool Codecity for Eclipse at the show. This is an Eclipse plugin that calculates source code metrics and then provides a visualization of those metrics in the form of a navigable 3D map of a city block. It's a striking representation of data that emerged from the Codecity Project, which was developed at the Università della Svizzera italiana until 2010. These images communicate a ton of information instantly -- which, of course, is the purpose of these kinds of visualizations.
It works from within the IDE, providing users with a "Show in >> Codecity" option in the context menu. The metrics are computed in the background and then displayed in a browser window. The list of metrics supported by the plugin includes: number of declared methods, number of declared fields, number of problem markers, and number of commits. This last metric requires projects to be connected with an Eclipse team provider, the company says.
Codecity is a work in progress, but well worth checking out. It's available from the Eclipse Marketplace.
Posted by John K. Waters on March 16, 20150 comments