CISO Panel: Speaking Klingon to Captain Kirk

This year's RSA Conference was chock full of great content. One of my favorite sessions was the chief information security officer (CISO) panel, hosted by Cigital Inc. CTO and build-security-in guru Gary McGraw. Instead of a whip, McGraw wielded a Star Wars lightsaber (a vendor was handing them out on the exhibit floor) to keep four top security execs moving through a series of "driving" questions.

In answering a question about measuring risk, Gary Warzala, CISO at Visa, argued that, although it was certainly important to measure an organization's vulnerabilities and level of compliance, it was just as important to make sure that risk is owned throughout the enterprise.

"When I think about the technology organization, we hold the majority of operational risks," he said. "We need a process by which we're managing that risk on a daily basis, and then we need to be able articulate that ... But you can't just have the conversation around risk when you're talking to the board; you have to have it across the enterprise."

Google views security as an existential issue, said Eric Grosse, VP of the company's Security Engineering group. It's evaluated based on observed incidents. In fact, the company authorizes internal groups -- on a short-term basis -- to try to break in.

"We have a referee standing by, because they're actually working on the live systems," Grosse said. One side effect of this process is that it makes other employees more alert to potential security issues, he added.

For an answer to the question, "How should the security function interact with executives?" McGraw turned to Howard Schmidt, who served the country's chief executive. The former cybersecurity coordinator for the Obama administration said that the interactions between a CISO and his boss need to be customized, or they can have unexpected consequences.

"One minute you're doing a nice briefing for executives, and the next thing you know, they're subscribing to some list and every virus that comes out has them on the phone saying, 'Is this going to affect us?'" he said. He hastened to add that that never happened with Mr. Obama.

"What you really have to do is to sit down and involve all the business units, preferably in the same room," Schmidt said. "It's almost like creating a disaster recovery plan or business continuity plan, where, if you send out an e-mail asking about priorities, and they're all No. 1. But if you get them all in the same room, you get a better idea of when you need to escalate."

Jason Witty, CISO at U.S. Bank, said that information security execs need to do a better job of speaking with management in business terms.

"We need to talk about things like protecting and enhancing revenue," he said. "We need to change our vernacular ... We don't want to be speaking Klingon to Captain Kirk."

McGraw also asked the panel about which tools they found the most useful in their work, which drew a little groan from Witty.

"I saw a list of information security vendors the other day," he said. "When I saw it, I rolled my eyes so far back in my head I saw behind me … The bottom line for me is that this is a people-and-processes issue, not a technology issue."

McGraw also wondered about how the gathered execs retained good security people. Beyond having "the best recruiter in the business, bar none," not to mention Visa's strong brand, it's the kind of field that attracts people who love the work, Warzala said.

"People in the information security field are what I call digital first responders," he said. "They're the kind of people who run toward a fire while everyone else is running away ... They're not doing the job to make lots of money. They're doing it because they're passionate about it."

Posted by John K. Waters on March 5, 20130 comments


RSA Preview: HP Security Mavens on the Cybercrime Marketplace

The annual crypto-uber-geek, cyber-security trade show, better known as the RSA Conference, gets underway next week in San Francisco. I love this event. The content is broad and deep and sometimes downright scary. Even registering for the thing can be unsettling: never have I had to work so hard to create a password. And you need a personal access code to get on the wireless network at the show. So cool.

I got a nice warm up for the event earlier this month when I attended a roundtable discussion among HP security mavens. The company is planning to make several major announcements around security at the end of this month, and it'll soon be releasing its "2012 Cyber Security Risk Report." The roundtable included execs from the various groups HP assembled last year to form its Security Intelligence and Risk Management platform. The discussion focused on trends in cybercrime, the evolving marketplace for information theft and the best enterprise defense strategies.

Art Gilliland, SVP of HP's Software Enterprise Security Products group (and former Symantec exec), kicked off the conversation by suggesting that the press, and even some security professionals, spend too much time talking about individual perpetrators.

"Focusing on specific actors is a bit of a red herring," he said. "It misses the fact that there's just so much money to be made from the sale of stolen information that a real marketplace has grown up around cybercrime."

That's the bad news; the good news is markets exhibit recognizable behaviors than can be exploited.

"Markets do very specific things," Gilliland pointed out. "They organize participants, for example, and they create specialization around a process. If companies are going to become more effective at responding to security threats, they're going to need to think about how they disrupt the marketplace of the adversary."

HP uses something called a "kill chain," a traditional process chain originally created by Lockheed Martin, to describe the five steps of a security breach. The kill chain steps include: 1) Research (the bad guys create profiles of their targets); 2) Infiltration (they break in); 3) Discovery (they map the assets and find the good stuff); 4) Capture (they take control of the assets or sensitive information); 5) Exfiltration (they steal or destroy it).

"I believe that the reason we're seeing such an increase in breaches and threats is that we, as an industry, are not building the capabilities necessary to disrupt this process," Gilliland said.

Instead, a great deal of emphasis is placed on the technology infrastructure for blocking the adversaries -- anti-virus software, firewalls, etc. But, as Gilliland put it, "this marketplace innovates around us," and a break in is all but inevitable. "If you believe that that's true -- and I think most security experts do -- then we had better get much better at catching them inside before they've stolen the data," he said.

"It's critical that organizations get to a point where they can respond very quickly to each of those steps," said Scott Lambert, director of HP's DVlabs. "That's how we change the game."

Digital Vaccine Labs was the research organization within security vendor TippingPoint, which HP acquired in 2010 when it bought 3Com. HP describes DVlabs as "the heart" of the company's IT security research and intelligence.

Lambert allowed that firewalls and intrusion detection-and-prevention systems provided protection from what attackers were leveraging when those technologies where created, and they're still effective at blocking certain classes of attacks. But today the focus of the attackers is shifting away from perimeter defenses and toward the individual. Vulnerabilities in social networks, for example, are attracting a new generation of cybercriminals.

Lambert also added to my growing security vocabulary list with "OODA Loop:" observe, orient, decide, and act. It's a military term applied to combat operations; whoever gets through the loop faster is likely to be the winner.

"At each of the stages in the kill chain, there is a set of assessments that must be made and actions that must be taken," he said. "The attacker is going to keep coming back in; shut down one door, and they'll find another one. So we need to be quicker at identifying that they're inside, telling them to go away, shutting those doors, and getting on right on top of them when they come back."

Jacob West, CTO of Fortify Products within HP's Enterprise Security group, weighed in on the subject of security in the application layer. Although network and end-point security still get the lion's share of a typical organization's security budget, he said, app security is finally getting the attention it deserves.

"Ten years ago there wasn't a field called 'software security,' West said. "Security was still pixy dust that you layered on top of your software after you built it. We've come a long way since then, and now we're seeing substantial investment in securing the application layer."

The reason for the increased investment, West said, is the growing popularity of the app layer as a target. But he added that it's a mistake to expect top notch developers to also become security experts.

"You just can't be both," he said. "So what we in the industry need to do is to enable those developers—and everyone else who contributes to the development lifecycle -- to understand that they're making security-relevant decisions and give them the processes and technologies to make those decisions in the right way when they're faced with them."

In 2007 West co-authored Secure Programming with Static Analysis Addison-Wesley Professional, July 9, 2007) with Brian Chess, founder of security vendor Fortify Software, which HP acquired in 2010. Fortify was known for its static application security analysis technology, and West and Chess's book is something of a classic in that field.

"I do think a lot of development organizations recognize that security is now a core requirement of the software they build," West added. "They can't make every developer a security expert, but they know that software those developers eventually produce needs to be secure. And do see an increasing number of firms with large development investments tying developer performance and compensation to security metrics."

And yet many organizations have yet to implement even basic perimeter security, said Joni Kahn, SVP of Services and Support in HP's ArcSight group, let alone addressing more sophisticated threats. Kahn runs professional services at HP and is actively involved in breach remediation and response. (HP acquired security information and event management provider ArcSight in 2010.)

"We spend a lot of time talking about the business processes that allow you to leverage the technology in an effective way," she said.

To my dumb question of the day, "Why haven't we fixed all this yet?" Kahn replied, "Well, that's a little bit like asking, Why haven't we stopped all burglaries? There's money in this, and crime pays."

BTW: Gilliland will be talking about how market forces are organizing our adversaries at the RSA Conference. His talk is entitled: "Criminal Education: Lessons from the Criminals and their Methods."

Posted by John K. Waters on February 22, 20130 comments


Java: The Most Popular Programming Language

Forget the headline-grabbing revelations of new security flaws, the dogged dissing from Apple and the dire warnings from the U.S. Department of Homeland Security: Java is the world's most popular programming language. That's according to TIOBE Software's latest Programming Community Index.

TIOBE is a Netherlands-based provider of software quality assessment services based on the ISO/IEC 9126 standard. The company ranks the popularity of software languages based on "the number of skilled engineers world-wide, courses, and third-party vendors." The purpose of the Index, the company says, is to provide coders with a kind of contextual yardstick with which to measure their own language skills against current demand.

Ten months after being spanked by C, Java has risen to the top largely because of the popularity of Android mobile devices, the indexers concluded. Java accounted for 18.387 of market share in February, as measured by TIOBE, while C held onto a solid 17.080 percent, followed by Objective-C with 9.803 percent and C++ with 8.758 percent.

The Index also indicated that the popularity of Python is on the rise (4.949 percent, up 1.07 percent over the last half year), with PHP holding steady at 5.074 percent.

Altogether, TIOBE ranks 50 programming languages, though it follows many more. The company emphasizes that the Index measures only the popularity of a language, not its actual quality (no "bests") nor the number of lines of code written in it.

Java also made it to the top of a rival language popularity index: the latest PYPL (PopularitY of Programming Language) Index. This popularity indicator is published by pyDatalog, a provider of a pure-Python implementation of a declarative subset of Prolog, called Datalog. Java topped the PYPL Index in February with a 29 percent market share. PHP came in second with 14.6 percent. C# followed with 10.5 percent, Python with 10.3 percent and C with 9.6 percent (down .9 percent).

The goals of the PYPL indexers are the same as TIOBE's: "If you believe in collective wisdom," the Web site states, "the... index can help you decide which language to study, or which one to use in a new software project."

TIOBE, which has been around a while, tracks the popularity of languages by counting related Web pages; pyDatalog, the new kid on the popularity indexing block, counts how often language tutorials are searched on Google. One tracks availability; one tracks demand. I'm not sure which is the better methodology, but it's useful to be reminded that Java isn't merely a popular target.

 

Posted by John K. Waters on February 13, 20131 comments


2013 Challenges for Developers, Part III: Future Challenges

A number of insightful industry watchers got back to me right after the holidays with their thoughts on the challenges facing developers in 2013. (Most of them didn't even seem that hung over.) It was just too much wisdom to cram into two blog posts, so we're going with a Part III.

John R. Rymer, principal analyst at Forrester Research Inc., covers application development and delivery (and writes a killer blog). He agreed with his colleagues that mobile will continue to vex developers, as will the need to learn and employ multiple languages. However, he was surprised (as was I) that the arrival of Windows 8 didn't top more lists.

"[Windows 8] got off to a slow start, by all accounts, but Microsoft is all in on this one," he told me. "It's fair to say that one Microsoft platform era is ending and another is starting. What Microsoft is calling 'the new Windows platform' includes Windows 8 clients, the Windows Runtime API, and the Windows Azure cloud. .NET isn't going away, but it's a server environment, and the relationship among these technologies is really complicated. There's a lot to master there. And then there's the question of when to make the jump to that platform."

Rymer and fellow Forrester analyst Jeffrey S. Hammond published a report in August entitled "The Future of Microsoft: New Options, New Choices, New Risks" that's well worth reading.

Ovum principal analyst Michael Azoff foresees a "big headache" on the horizon for developers caused by fragmentation in app dev precipitated by their struggles with mobile development.

"Mobile of course is the issue," he said. "HTML5 is supposed to be the answer, but it's a bunch of technologies, continually evolving, and part of a spectrum of options when deciding to go native, hybrid or open."

For ZapThink President Jason Bloomberg, the mobile piece is all part of the broad-based trend toward new ways of thinking about distributed computing.

"From the enterprise perspective, mobile -- as well as the browser -- has always been thought of as the user interface endpoint," Bloomberg said. "The thinking goes: All the hardcore work of enterprise development is in the middle tier, and then you do the application tier and let the hippies do the coding on the interface, which you slap on for the end users. That's shifting as our devices become more and more sophisticated. A smartphone is more powerful than a supercomputer from 20 years ago. We have these supercomputers in our pockets, so they can be much more than just interface endpoints. They can actually be a provisionable cloud resource as well."

Another challenge ahead for developers in 2013, Bloomberg said, is sorting out cloudwashed products and services from the real thing. "Cloudwashing" refers to the practice of adding the word "cloud" to existing, essentially unchanged products or services.

"The 2013 cloud computing story is one of maturation," he said, "but also one of the vendors striking back with an increasing effort to cloudwash, as they realize that cloud computing done right would undermine their revenue streams and licensing models. What developers need to understand is that virtualization alone is not the same thing as cloud. That's the seed of confusion that's getting sewn right now. Vendors are saying, we're offering cloud, but they're really offering virtualization. The missing pieces are the automated provisioning configuration and the elastic nature of the cloud, where you can scale up and scale down in an automated fashion. Virtualization alone doesn't offer those parts of the story, and developers need to be aware of that."

Bloomberg has a book coming out later this year, "The Agile Architecture Revolution," from Wiley, John & Sons Inc. Given the quality of his coverage of service-oriented architecture (SOA) and cloud computing over the years, it should probably be on your reading list.

Unsurprisingly, security was on the mind of my favorite fiddle-playing security expert, Gary McGraw, CTO of Cigital Inc., and author/coauthor of many books, including the classic, "Software Security: Building Security In" (Addison-Wesley, 2006).

The top of McGraw's list of challenges for developers in the coming year: secure use of well-known frameworks.

"This is a big question for developers," McGraw said. "From a coding perspective, if you're used to using static analysis tools, they fail when it comes to frameworks, because the control flow goes right down this hole. And the tool goes, 'Oh well, the control flow is gone, so I quit.' Using frameworks securely should be a big issue for developers in 2013. And they should be asking exactly what the guys who are building frameworks are doing to make them secure."

McGraw also pointed to ongoing security issues around Java, which was plagued by exploited vulnerabilities last year.

"Watching all that, it felt like déjà vu all over again," McGraw said. "I looked at my watch and said, holy crap, it's 1997! What's going on is, various people who are in control of Java at a company whose name might start with Ora and end with cle, just haven't been paying attention. They pay a lot of lip service to security at that company, but when push comes to shove, they're not delivering. And when companies that, generally speaking, try to play nice like Apple (emphasis on generally) say they're going to ban Java from their platform, that ought to be a wake-up call."

McGraw will be presenting at this year's RSA security conference. The title of his talk: "The Bug Parade, Zombies, and the BSIMM." (The BSIMM, of course, refers to the Building Security in Maturity Model, the latest incarnation of which I covered back in November.)

Security was also on tech industry watcher Rob Enderle's mind (The Enderle Group), particularly when it comes to the use of open source in the mobile space. So much work is now "pointed at mobile devices," he said, and so many malware writers are employing the strategy of altering good applications, that app builders should reexamine their open source practices in 2013, and "take other measures to ensure someone doesn't hijack your product for illegal purposes."

Enderle also cited analytics as an increasingly critical industry focus and developer opportunity.

"Analytics is one of the big technology advancements this decade," he said, "and using this tool to better understand your existing and potential customer needs and frustrations --and your competitors' weaknesses -- should help assure more successful products and greater customer loyalty. This is also a huge opportunity to think about incorporating these analytics into software products and providing a feedback loop to customers that use them to help you better enhance the products you're creating."

For RedMonk's James Governor, the good news for developers in 2013 -- a wealth of choices -- is also the daunting news.

"Dealing with the abundance of tooling is increasingly an issue," Governor said in an e-mail. "Developers have more choices than ever to make -- whether in data stores, programming languages, management and monitoring, agile methods, approaches to DevOps -- there's innovative stuff happening everywhere."

To support his point, Governor quoted author Clay Shirky's book, "Here Comes Everybody" (Penguin Books, 2009): "We are living in the middle of the largest increase in expressive capability in the history of the human race ... The barrier between producers and consumers, professionals and amateurs, has been -- if not eliminated -- so drastically lowered that it is revolutionizing our society just as the printing press revolutionized medieval Europe."

"That's the world we find ourselves in," Governor said, "and what's particularly interesting is that developers are both the Catholic Church and the Protestants, the High Priests and the upstarts."

In another good news/bad news observation, Governor included software patents on his list of developer challenges for the coming year.

"Software patents continue to be disastrous for software developers," he said, "with trolling from both mega corps like Apple, and a motley band of ambulance chasing IP lawyers, being a huge problem. That said, recent U.S. court cases indicate a willingness of the judiciary to stop the madness. Weirdly, patent law may even be a bright spot in 2013."

Governor is another blogger who should be on your list.

Posted by John K. Waters on February 6, 20130 comments


Mozilla Unveils Firefox OS Developer Preview Phones

Earlier this month Mozilla announced the first developer preview phones specifically designed for its Firefox OS.

The phones -- two of them -- are being developed by a Spanish startup called GeeksPhone in partnership with Spanish telecom Telefónica. Mozilla says the phones will be available sometime in February.

The devices are the "Keon," a basic smartphone that comes with a 1GHz Qualcomm Snapdragon S1 processor, 4GB of ROM, 512MB of RAM, a 3.5-inch HVGA display, a 3-megapixel camera, MicroSD support, a 1580 mAh battery, and support for 2G and 3G networks; and the "Peak," a more powerful device with a dual-core 1.2GHz Snapdragon S4 processor, a 4.3-inch qHD IPS display, an 8-megapixel rear-facing camera (2-megapixel front), 4GB of ROM, 512MB of RAM and a 1800 mAh battery.

Stormy Peters, director of Web sites and developer engagement at Mozilla, made the announcement on her blog on the Mozilla Hacks Web site. "Developers are critical to the Web and to Mozilla's mission to make the web accessible to everyone," Peters wrote. "Hundreds of millions of people worldwide use Firefox to discover, experience and connect to the Web. A Web based on open standards and open technologies. We couldn't have done this without Web developers. Now we are working on bringing the power of the Web to mobile, through Firefox OS, along with all the power of open standards and an open community, and once again, we'd like to invite web developers to join us."

Mozilla announced plans to develop an open-source, Web-based mobile operating system in 2012. The OS is set for release later this year.

GeeksPhone website welcomes developers to "Say hola to the future," and declares, "Our developer preview devices have been designed to enlighten the Firefox OS experience, giving developers the chance to tap the future of mobile."

But how much of an impact on current approaches to mobile application development will a web-only Firefox OS have? Not much, says Ovum senior analyst Nick Dillon. He sees the Firefox OS as "an interesting academic exercise" comparable in this regard to Google's Chrome OS. The advent of the new mobile operating system is unlikely to facilitate a dramatic change, Dillon writes in an Ovum comment. One reason: There's already plenty of support for HTML5 on the leading smartphone platforms, which means there's no real need for another one to drive adoption of the technology.

"Another significant barrier to the success of Firefox OS," Dillon wrote, "will be cost. The Firefox OS devices will be targeted at emerging markets, where they will be competing with low to mid-tier Android devices. From a consumer perspective, the Firefox OS devices will offer less functionality than comparable Android devices, without access to embedded Google services and the hundreds of thousands of third-party applications available on Android devices."

Developers who don't want to buy the dedicated hardware will still be able to test their applications using the Firefox OS simulator, the company said.

Posted by John K. Waters on January 31, 20130 comments


Oracle Promises To 'Fix' Java

An Oracle executive has promised to "fix" problems with Java that have left Web sites running the Java plugin vulnerable to malicious hackers and resulted in some high-profile security breaches. Speaking with Java User Group (JUG) leaders during a conference call last week, Oracle's senior product security manager, Milton Smith, said that his company cares about Java security, and has been working on the problem and will continue to do so.

"The plan for Java security is really simple," Smith said. "It's to get Java fixed up -- number one -- and then, number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have got to fix Java..."

Oracle has been working to improve Java security, Smith said, though much of that work has not been publicized. He pointed to new security features, such as a slider on the Java control panel that allows users to effectively disable Java on the browser.

And it is the browser -- or rather, browser plugins, which run applets -- that is the focus of Oracle's security efforts, Smith said.

"The area of concern is the plugin -- so that's applets," he said. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser. It's the biggest target now. We haven't had those sorts of problems or challenges on the servers or embedded devices."

One caller complained that the media are "very loose when they talk about Java security...when most of the trouble has been in a very specific use case for Java [the browser]."

Smith emphasized the need for better communication about Oracle's efforts to secure Java. He argued that many people "don't understand the features that are out there," and the role the end users play in securing their own computers. He said the company plans to reach out to engineers, IT professionals who run data centers and user groups, such as the one addressed in the call.

Donald Smith, Oracle's director of product management in the OpenJDK group, talked about the possibility of using this year's JavaOne conference to communicate more fully with the community about Oracle's security plans and the community's needs. He asked those in attendance for feedback about the idea of a stand-alone Java security track at the conference.

Milton Smith added that Oracle company doesn't know yet precisely what it wants to communicate, but that calls like this one with the JUG leaders was "laying the ground work" for improved communications in the future.

Oracle has been criticized for its handling of Java security, and questions have arisen about the future of client-side Java. Forrester Research analyst told ADTmag in an earlier interview that the steady surfacing of Java security vulnerabilities could kill any chance that Java will play a bigger role on the desktop or mobile devices in the future. IDC analyst Al Hilwa pointed out that any add-on to a browser is going to increase the surface area for security attacks. But he also pointed out that Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).

"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML 5 for browser applications, so that the browser vendors own the security of the platform end-to-end."

The Oracle/JUG conference call can be found here.

Posted by John K. Waters on January 30, 20132 comments


Could Security Woes Eventually Kill Client-Side Java? Analysts Weigh In...

More on this topic:

Client-side Java has a big, bright bull's eye painted on it, and black hats just can't seem to resist shooting at it. Oracle was relatively quick to response to news of the latest critical vulnerability in Java 7 (revealed last Thursday; fixed by Sunday), but many security mavens have been unwilling to tell users that it's safe to enable Java in their browsers again. It didn't help that the U.S. Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security (DHS), has issued a warning to Average Joe computer users to disable Java.

After more than a year of headline-grabbing revelations of new security flaws, is it fair to ask whether client-side Java is living on borrowed time? Some industry watchers think so.

Although Java will remain alive and well on the server, says Mike Gualtieri, principal analyst at Forrester Research, the steady surfacing of security vulnerabilities we're seeing today on the client side is likely to kill any chance that Java will play a bigger role on the desktop or mobile devices in the future.

"It's like all Java developers were just diagnosed with a devastating, incurable disease," Gualtieri said. "What are you going to do? Bite your tongue, keep your head down, and keep writing code."

Al Hilwa, program director at industry analyst firm IDC, points out that any add-on to a browser is going to increase the surface area for security attacks. And Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).

"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML5 for browser applications, so that the browser vendors own the security of the platform end-to-end."

Java has been gaining popularity as a target for a few years now, observes Jerome Segura, senior security researcher at anti-malware solutions provider Malwarebytes. It surpassed the Adobe Reader about a year ago, which had been the leading target, in part because of changes Adobe made to its sandbox, but largely because Java is now so widely deployed across so many devices and platforms.

It's also Java's inherent complexity that invites exploitation, Segura said, because that quality increases the number of possible bugs in the code, and thus, the number of potential vulnerabilities. Another problem is Oracle's tendency to leave the end users in charge of updates. Oracle's remedy for the current problem, for example, was to fix one of the two bugs behind it directly, and leave the users to update the default security settings to fix the second bug.

Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira, applauds Oracle for acting quickly to fix the latest zero-day vulnerability, but says there's a downside to such fast action.

"When you fix such an important bug in such a short time under high pressure, the result is that you will see even more bugs like that in the future," Mustaca said. "But also, our feeling is that Oracle has gotten into the habit of reacting to a crisis -- to putting out fires -- instead of mitigating. And so this is why we have mixed feelings about this."

Mustaca agrees that Java's widespread deployment lies at the root of its recent appeal as an exploitation target.

"The number of devices has exploded in the past two to three years," he said. "And Java runs on almost all devices. Oracle says that it's on more than three billion of them -- everything from your computer to your car to your frig. And it's an accepted technology, even by Apple. So of course it's going to be a target, and of course we are going to react strongly when it is exploited. It has a much bigger impact."

Hilwa points out that Java has attracted the attention of the "malware industrial complex," which is evolving into a "fast moving, well capitalized underworld of software-for-hire available to anyone willing to pay." Automated kits that are now available to exploit any security hole within days, if not hours, after they become known.

"The ante is regularly upped by the malware industry," he said, "and companies who want to be in the plug-in business are essentially engaged in an arms race. And it's relatively difficult for end-users to verify the safety of all the different browsers they use. This puts the onus on Enterprise IT to create awareness for their users. So Oracle needs to step up their investment. No doubt the company understands this now."

Posted by John K. Waters on January 16, 20134 comments


2013 Challenges for Developers, Part II: Demand for Multiple Language Skills

By this time last year, the term "polyglot programmer" had entered the IT lexicon, and there was plenty of talk about the strategic advantage of learning to use a wider variety of programming languages, frameworks, databases, interface technologies and other development tools. Last year's strategic advantage may be evolving into this year's survival strategy.

"I would argue that developers need to be fluent in multiple languages now," said Forrester analyst Jeffrey S. Hammond. "I see that in my data: I've talked about the multilingual developer who programs in no single language more than 50 percent of the time, and that's definitely on the rise. I don't see how you get away with just being a C++ developer or a C# developer or a Java developer anymore."

Hammond is a leading expert on open-source software, next-generation mobile, open Web and client architectures, and software development productivity. He writes regularly on those topics for Forrester's application development and delivery blog. He believes that the need for multiple language skills may be one of the biggest challenges facing some developers in 2013.

"There's just a tremendous amount of stuff that developers have to learn if they want to keep their skills up to what the market is going to be demanding of them in 2013 and beyond," he said. "Think about all the things you've got to understand now to build modern applications. You have to be able to use either a cross platform tool or you have to pick up Objective C or Android Java or C#. You have to learn how to consume and use all these RESTful Web services. You've got to understand the ins and outs of Amazon Web Services and how to build a scale-out system that runs in the cloud. It's a hell of a lot of homework, but necessary if you want to limit the constraints on your career opportunities in the long term."

What additional language skills are codederos likely to seek in 2013? 

"I'm seeing the re-emergence for JavaScript," Hammond said. "I'm seeing lots of demand in the mobile space for Node.js skills, and a lot of these JavaScript frameworks. And I'm seeing more and more HTML5 development being done. But in some ways, this may be the year for developers who don't know JavaScript to learn it—and to really understand that it's not just for making things pretty on the client side."

Jay Lyman, a senior analyst at 451 Research who covers open-source software in the enterprise, application development, systems management and cloud computing, sees the polyglot programming trend "unfolding in parallel to DevOps," as more software developers and system administrators leverage more tools and languages for different advantages.

"For example," Lyman said in an e-mail, "while Java and .NET still dominate enterprise applications, we see more use of PHP, Ruby, Python and other languages for Web, mobile and enterprise applications; Erlang or Scala for concurrency on the back end; node.js for greater performance; HTML5 and JavaScript for user interfaces, etc. We also see use of a greater number and variety of database technologies, including NoSQL databases, Cassandra and Hadoop for 'big data,' and also use of a variety of infrastructures to develop, deploy and support applications, including traditional datacenters [and] public and private clouds."

Mike Gualtieri, principal analyst at Forrester, agrees that the demand for multi-language skills is likely to put more pressure on developers in 2013: "A polyglot programming norm means more homework," he said in an e-mail. "The trend towards using multiple programming languages including scripting languages is a constant challenge for developers. It means that they have more homework to do to keep up with all the new languages and programming languages."

He added: "Is this God's programming Tower of Babel to punish Sun for screwing up Java and Oracle for acquiring Sun?"

Posted by John K. Waters on January 11, 20130 comments


2013 Challenges for Developers, Part I: Mobile and Cloud

In 2013, life for developers is going to get interesting, say industry watchers -- which sounds great until you remember that old (purportedly) Chinese curse. Living in "interesting times" is likely to prove challenging to hard-working codederos.

Dana Gardner, president and principal analyst for Interarbor Solutions (and a must-read blogger) sees 2013 as the time for developers to make strategic bets on both mobile and cloud, but he also advises caution.

"Sorting out the Web-vs-native development equation (and how to best target the most devices) gets trickier in 2013," he said. "Selling software as native apps is costly and high-stakes. Web-only is lower in costs and may get better adoption, but with really low margins, usually. The bottom line is that developers need to be better at forward-looking business development and micro-economics, no matter how good they are at their coding crafts."

If you want to see where this particular debate is headed, Gardner said, keep your eyes on current trends in game development. He points to cross-platform PC-based virtual environments with cloud services, such as Steam, vs. proprietary consoles, or more pure SaaS games, such as Minecraft.

While you're sorting out "Web-vs-native," you're also going to have to think carefully about picking cloud partners, both in terms of the technology and the relationship, Gardner said. Start by asking yourself a lot of questions.

"PaaS strategies and making the right choices about them have huge implications for next five years," Gardner said. "Losing control to a PaaS may be advantageous in economic and risk terms, but it's still a big bet. Are there ways to hedge? Should a multi-PaaS approach hold for the near term? If tools and IDEs are nearly the same, what not chose a multi-PaaS approach? Write once, PaaS anywhere? Will enterprises also go for multiple sources on PaaS or pick one? Developers should have a say in these decisions, as ISVs and as enterprise dev players."

"The good news," Gardner added, "is that CIOs and enterprise strategists are sorting this out too, and a developer with strong insights can rise quickly by reducing uncertainty and bringing clarity to the planning process. So developers should raise their hands and be heard, not sit back and wait for the dictates from above at this dynamic stage in the business."

Randy Heffner, vice president and principal analyst at Forrester Research, is a leading expert on architectures and design approaches to building enterprise applications (and another blogger worth reading). He agrees that 2013 will a big year for developers defining their mobile strategies, but he argues that those decisions need to be made within the context of "cross-channel interaction."

"It is easy to be all about getting a mobile app out there and to forget that what your customers and employees really need is to be effective across mobile, Web, voice, e-mail, social, and other channels," Heffner said. "Even if today's challenge is focused on mobile, if you don't consider how today's mobile app will, in the future, grow to be cross-channel, you're building in significant rework."

Heffner goes into this point in detail in his November 2012 report, "Use a Reference Architecture to Speed Cross-Channel Digital Experience Delivery."

Heffner also believes that finding a new way to think about integration is going to be a critical developer challenge in 2013.

"The old mindset for integration is that its purpose is to connect and reconcile among siloed applications," he said. "When you add to this the proliferation of integration technologies and patterns (SOA, BPM, CEP, business rules, etc.), you start adding technology silos on top of the application silos. What we need is an integrated view that focuses on the real goal of business technology: building an effective, agile business. Rather than putting siloed applications at the center of the design model, we need to put the design of our business at the center.

Heffner calls this idea "digital business design," and he blogs on the topic here.

Al Hilwa, program director for IDC's application development software research, believes that the biggest challenge facing developers in 2013 boils down to effective navigation of their platform choices.

"The world is quickly shifting to one where applications, both on the client and the server, have many choices of platforms competing for developer affectations," Hilwa said. "For applications targeting consumers, and even for those targeting enterprises in the age of BYOD, choices have to be made about which platforms to support and which to leave behind or defer until a later time. For each of the major platforms, like iOS or Android, the developers are aware that their potential users are making selections between ecosystems of content and services, and so they must make choices that are similar to target those users. Once a platform is chosen, then decisions have to be made about whether to approach the application development with native tools or with Web tools targeting mobile browsers, where much of the code can be leveraged for supporting other platforms."

"However, targeting HTML5 involves compromises in functionality and performance that also require careful navigation," he added. "On back-end platforms, developers have to choose cloud services, whether to operate on IaaS and spin their own machines or whether to use more curated models which support certain programming languages in a more intimate fashion. Fundamentally, 2013 is a year of developer choices to an even greater degree than any other which preceded it, and with these choices come a lot of anguish and agonizing."

Hilwa's latest research reports are available on the IDC Web site.

Mike Gualtieri, principal analyst at Forrester Research (and no-nonsense blogger), offers a succinct New Year's recommendation for developers:

"Write a mobile app already," he said. "You gotta have mobile app development on your resume. Even if it just means you downloaded the Android SDK or Apple Xcode and hacked out a test app. Carve out a Saturday afternoon and just do it. That's all the time it will take if you are already a pro Java, C# or C++ developer. Now you can talk with some authority about mobile app development because your next job will probably depend on it."

 

 

Posted by John K. Waters on January 7, 20131 comments