BSIMM3 Continues To Add Real-World Data to Security Maturity Model

The intrepid trio of app security mavens who decided back in 2009 that it was about time the world had a set of best practices for developing and growing an enterprise-wide software security program based on actual data has unveiled the third version of their innovative Building Security In Maturity Model (BSIMM).

A "maturity model" describes the capability of an organization's processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known example from software engineering. The BSIMM (pronounced "bee-simm") is the first maturity model for security initiatives created entirely from real-world data.

BSIMM3 which is distributed free under a Creative Commons license, provides insight into 42 of the most successful software security initiatives in the world. The list of companies studied for BSIMM3 includes Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo and Zynga.

Dr. Gary McGraw, CTO of Cigital; Sammy Migues, director of knowledge management at Cigital; and Dr. Brian Chess, chief scientist at Fortify Software (acquired by HP last year), are the co-authors of this on-going, multi-year study. The purpose of the project, McGraw told me, is to build a "measuring stick," so that companies can compare themselves to companies in their industries who have managed successful software security initiatives. Using the BSIMM measuring stick, McGraw, Migues, and Chess conducted a series of in-person interviews with executives in charge of software security initiatives.

McGraw emphasized that the model is fact-based. "We wanted to turn from the early days of evangelism and advocacy in software security and science," he said. "And this is how to do it."

The project has grown considerably since BSIMM1, which looked at only nine companies. BSIMM3 describes the work of 786 software security professionals working with a satellite of 1,750 affiliated professionals to secure the software developed by 185, 316 developers. The participating organizations represent eight overlapping industry verticals, including: financial services, independent software vendors, technology firms, telecommunications, insurance, energy, media, and healthcare. The current release includes 109 updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.

BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity. Eleven of the participating firms were measured twice, providing longitudinal study data; those data showed measurable improvement, McGraw said.

The BSIMM3 data set has 81 distinct measurements; some firms were measured twice, while some had multiple divisions measured separately. Among the revelations in this version of the study is the fact that the leading firms on average employ two full-time software security specialists for every 100 developers.

"It's exciting to see something that started out as kind of a backyard science experiment bust out of its test tube and take on a life of its own," McGraw said.

BSIMM3 results conclude that "mature" software security initiatives are "well rounded," with activities in all twelve practices, including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing and configuration management.

"One of the coolest side effects of the project is the community that's growing up around it," McGraw said. "We held a conference last year in Annapolis, and 22 of the 30 firms [attending] sent the executive in charge of software security. We all got together and talked hardcore software security. There's this feeling now of a community of professionals trying to solve the same problems in software security."

For more information and to access the BSIMM3 study, click here.

 

Posted by John K. Waters on September 30, 20110 comments


Dart: Google Won't Comment, Analysts Weigh in on Possible JavaScript Replacement

Google is keeping mum on its plans to unveil another new programming language at its upcoming GoTo Conference in Denmark next month, but the buzz is already starting to hurt my ears. The language is called "Dart" (formerly "Dash"), and the conference Web site describes it as "a new programming language for structured web programming." Google's PR rep, Lily Lin, gave me a polite brush off in an e-mail, referring me to the opening keynote presentation at GoTo, during which Google engineers Lars Bak and Gilad Bracha will host Dart's debut.

The closest I'll be getting to anything Danish in the near future is the very-bad-for-me pastries at Le Boulanger in downtown Mountain View. Meanwhile, others are weighing in on Big G's latest language.

Gartner's Ray Valdes discussed with me in an e-mail interview that the internally-spawned Dart appears to be intended as a replacement for JavaScript, and that it's likely to be implemented as a translation layer above JavaScript to support compatibility with older browsers. This translation-layer approach is a recent trend in programming language implementations, Valdes explained. He points to Scala, Clojure, jRuby and Jython, all of which compile to Java or to Java byte codes. Likewise, Iron Python and Iron Ruby run on the .Net language platform (CLR). Another example is Google's GWT user interface library, in which developers write in Java that is then translated to JavaScript to be deployed to the browser.

The drive behind Dart's development appears to be mostly internal, Valdes suggested. "There are developers at Google that have built complex JavaScript applications and have decided that some of the challenges in these large projects were due to design flaws in JavaScript," he said. "Some of them built tools and frameworks to work with JavaScript (GWT, Closure) but apparently they feel the need to go further and replace JavaScript entirely."

Google was similarly motivated when it created the Go programming language in 2009 for its own internal use. The language was developed as an alternative to existing system implementation languages (C++, Java, Python), which Google found were either overly complex, slow to compile, or slow in production, Valdes said. Google hasn't evangelized Go, and Valdes doesn't believe the company will evangelize Dart.

It's clear that Google has "fix JavaScript" on its to-do list. A draft of an internal memo accidentally leaked last year expresses Google's position succinctly: "JavaScript has fundamental flaws that cannot be fixed merely by evolving the language." The memo goes on to mention Dart (then Dash) as part of a "strategy for the future of JavaScript." It would be "a new language that aims to maintain the dynamic nature of JavaScript, but have a better performance profile and be amenable to tooling for large projects."

However, there are others inside the Googleplex who are committed to JavaScript, even with its flaws, Valdes pointed out. "This has led to some internal tension, it seems," he said. "Every large company has people pulling in different directions. It reminds me of the Silverlight versus HTML5 tension at Microsoft."

Google software engineer Alex Russell, who serves as one of the company's representatives to TC39 (the JavaScript standards committee), expressed what you might call the pro-JavaScript position on his Infrequently Noted blog. "So what's the deal with Google and JavaScript? Simply stated, Google is absolutely committed to making JavaScript better, and we're pushing hard to make it happen."

"As committed and enthusiastic as I am about the prospects for JavaScript," he added, "others are just as enthused about Dart. Google is big, can do many things at once, and often isn't of one mind. What we do agree on is that we're trying to make things better the best we know how. Anyone who watches Google long enough should anticipate that we often have different ideas about what that means. For my part, then, consider me and my team to be committed JS partisans for as long as we think we can make a difference."

And by some measures, the JavaScript community is actually on the rise, said IDC analyst Al Hilwa in an e-mail he sent from the Build conference, underway this week in Anaheim, Calif.

"The most important attribute of a programming language is the size of the programmer population that uses it," he said, "and here JavaScript is well represented, and has, in fact, seen a resurgence as the companion technology to HTML5's canvas tag. JavaScript is also beginning to be used on the server as powerful frameworks such as Node.js have emerged. JavaScript has just become a first-class language inside of the Windows 8 operating system, as we learned today at the BUILD conference. It will be a big challenge to topple JavaScript, but if Google is keen on that, it should start by supporting it in its Chrome browser along with JavaScript and let it duke it out for developer mindshare."

Redmonk's James Governor wasn't especially worried about the advent of Dart. "I'd be worried about Google if it wasn't driving core language innovation," said Redmonk's James Governor in an e-mail. "Question though: Did JavaScript succeed because, or in spite of, its initial sloppiness and not being "fit for purpose" as a general purpose dev environment? More central planning doesn't always mean better innovation."

Governor's colleague at Redmonk, Stephen O'Grady, was equally sanguine. "[T]he worrisome thing isn't Dart itself; companies try to improve and/or reinvent runtimes fairly regularly. A few months back, for example, Red Hat irritated the Scala community with Ceylon. It is entirely plausible that Google is both committed to improving JavaScript and simultaneously replacing it." 

"The larger concern for many," O'Grady added, "is the language in the leaked e-mail that talks about ‘sweet talking' browser manufacturers and encouraging developers to target Chrome first. This is indicative of the kind of company-first-Web-second mandate that used to characterize Microsoft's efforts around [Internet Explorer]. That's what's got people genuinely worried."

Posted by John K. Waters on September 15, 20110 comments


Former Apache Exec's New Gig: Function(x)

Geir Magnusson, Jr., the former Apache Software Foundation board member and representative on the Executive Committee of the Java Community Process, has left his position as CTO of Gilt.com to become CTO of new company launched by entertainment entrepreneur and "American Idol" backer Robert F.X. Sillerman. The company is called Function(x) (pronounced "function ecks," not "function of ecks," you math geeks), and its broadly stated mission is to "establish a new platform for investments in media and entertainment with a particular emphasis on digital and mobile technology."

Huh?

"We're still kind of evolving," Magnusson told me. "But this is business around consumer media consumption. It's about building systems that are mobile-based and scalable for the everyday consumer."

I'm beginning to see why the media dubbed Sillerman's enterprise a "mystery media company" when he took control of dormant public company called Gateway Industries in February to use as a launching pad. Whatever they end up doing over at Function(x), the outfit is currently accumulating talent with experience from companies like MTV, Tidal TV, AOL, Microsoft, Expedia, Massive and Ticketmaster.

Magnusson shifted gears (no pun intended) on his ASF activities to take on the position.

"Right now I'm heads-down focused here with Function(x)," he said. "I still have a very strong interest in open source, and I'm still a member of the ASF and active in pieces of it, but I won't be as active as in the past." He's no longer on the ASF board of directors, but he's the treasurer ("They voted when I was out of the room."), and weirdly, he's still in the JCP. "It's a fairly quiet position," he said. "It wouldn't surprise me if they simply decided to get rid of it."

Magnusson founded several open source projects at the ASF, such as Geronimo, Harmony and Velocity. He also had a relatively high profile during some getting-to-know-you scuffles between the ASF and then-new Java shepherd Oracle. As the ASF's JCP EC rep, he cast the only nay vote for the Java EE 6 spec, which was approved by the committee nonetheless. And he was there when the ASF left the EC. But he was quick to downplay his importance to the organization -- in fact, any one contributor's.

"In a sense, there are no key people as the ASF," he said. "We expect that the projects will outlive their founders. The system is designed to promote a kind of community ownership of anything we do, so that when life changes for people -- they get married, have a child  or get a new job -- everything continues without them, though they'll be missed."

And to underscore the ASF's continuing importance to the Java community: "Apache projects are still very much in the forefront of the implementation of Java specifications," he said. "Tomcat, ActiveMQ, Apache Geronimo; they're all staying current and competitive with other offerings, both commercial and open source. It's just that we're no longer participating in the JCP as a member of the executive committee."

My best to Magnusson at his new company... Whatever it is they're doing.

 

Posted by John K. Waters on September 9, 20110 comments


The PaaS Wars Heat Up at Dreamforce

This year's Dreamforce event was ginormous. Salesforce.com took over all three wings of the Moscone Center in San Francisco for a week and even closed down a block of Howard Street to accommodate the wanderings of the 45,000 registered attendees. The entire exhibit area of one wing was set up for CEO Mark Benioff's keynote opener, and they still had overflow traffic going into another room to watch the keynote on monitors.

Benioff was in full Elmer Gantry mode, prowling the stage and the audience, preaching his company's newish message about the social revolution and his notions about evolving the Salesforce development platform into a "social enterprise platform." As I reported earlier, he declared, "We were born cloud, and now we've been reborn social!"

Benioff and company announced a bunch of enhancements for the Salesforce Chatter enterprise social network, a new Web-based resource for delivering an HTML5-based version of its applications, the official launch of Database.com with a new Data Residency Option (DRO), new features for its Radian6 social monitoring tool, and support in its Heroku cloud app platform for Java.

If the size of this event is any indication, a lot of people seem to be interested in Benioff's message -- and  lot of those people are developers. IDC analyst Al Hilwa sees the news and announcements fired from this conference as another volley in the "PaaS wars," and an ongoing battle for the hearts and minds of application developers.

"There is a major transformation taking place in application platforms and everybody is fighting to paint a vision of what things will look like when all settles down," Hilwa told me via e-mail. "We are drifting into a more diverse world where there are many languages and platforms available to developers in a viable way."

Hilwa pointed to the big, warm hug Salesforce gave to HTML5 at the show.

"HTML5 appears to be how most enterprises will address the diversity of mobile devices that might be coming into the enterprise," he said. "Salesforce and VMware are both aware of that with [Salesforce] announcing that they will touch-enable their platform, and VMware announcing specific infrastructure solutions that enable HTML5 on such devices. HTML5 has a strong future as a unifying technology that will provide the enterprise balance to consumer application platforms [that] use native tools. I see both native and web co-existing and providing different advantages that appeal to consumers and enterprises in different ways."

PaaS war, indeed. Benioff took direct aim at rival Oracle from the stage when he told his audience to "beware of the false cloud" as he stood before an image of the Oracle Exadata server. Meanwhile, Three groups of people tethered to large, cloud-shaped balloons featuring Oracle's logo and "#1 CRM" loitered on the streets outside the conference from early in the morning. I kept expecting to see kite-flying Microsofties, hot air balloons dropping IBM leaflets, or "SAP" rendered in the firmament by skywriters.

I reported this earlier, but it's worth repeating: Gartner says the market for Social CRM will surpass $1 billion in revenue by the end of 2012.

Posted by John K. Waters on September 2, 20110 comments


eXo's On-Ramp to VMware Cloud Foundry

Developers deploying Java applications to VMware's new Cloud Foundry Platform-as-a-Service (PaaS) have yet another way to get there. eXo, the French company best known for its GateIn-based enterprise Java portal, has added Cloud Foundry to the growing list of PaaS systems supported by its new Cloud IDE development tool.

The company is billing the eXo Cloud IDE as the industry's only cloud-based integrated development environment. It provides codederos with a multi-tenant, hosted dev space designed to enable the collaborative building of apps based on Java, Groovy, Spring, PHP, Ruby and HTML, among others. And the apps you build with it can be deployed directly to a PaaS environment.

Keep in mind that this is a separate product line, not to be confused with the development tools that are part of the company's enterprise software stack, the eXo Platform. Currently in version 3, the eXo Platform comes with a Web-based IDE, a portal framework, collaboration tools, an enterprise content management system, a knowledge management solution and a set of enterprise social networking capabilities. The core platform is architected on the GateIn portal framework, an open source project developed jointly by JBoss and eXo.

The eXo Cloud IDE has been under development for about a year and a half, and the initial beta program was launched at the beginning of the year, explained the company's San Francisco-based developer advocate Mark Downey. When I talked with him, he was eager to correct a little glitch on the company's Web site.

"Although we still call it a beta, since we are rapidly adding new features and fixing bugs, the service is now available to everybody," he said. "The statement on our homepage saying that the service is limited to a small number of developers is no longer true."

eXo's announcement comes on the eve of the annual VMworld conference, which gets underway next week in Las Vegas, and just ahead of the beta release of VMware's new Micro Foundry PaaS for client machines. (Look for the eXo Cloud IDE at Booth #171 at the Vegas show.)

Including Cloud Foundry, the eXo Cloud IDE now supports application deployment to four PaaS environments. The others are CloudBees, Heroku and Red Hat OpenShift.

"Cloud IDE makes it possible for developers to collaborate on building Java applications in the cloud, apps that they can deploy directly to Cloud Foundry in minutes," the company's founder and CEO Benjamin Mestrallet said in a statement. "The code now lives in the cloud, accessible from virtually anywhere with a browser and Internet access..."

If you're interested, eXo is welcoming all comers to download the eXo Cloud IDE, despite what the download page may say. And the company is holding an intro webinar on or around September 8. Check here for details. And there's also a video demo available here.

Posted by John K. Waters on August 25, 20110 comments


Gorilla Logic Reloads FlexMonkey with Major Changes

The advanced primates over at Gorilla Logic have been working those opposable thumbs overtime recently. The results: FlexMonkey 5, a revamped version of the company's flagship open source automated testing tool for Adobe Flex and AIR. The company is calling this release "a major re-write" of the core open source tool that was driven by real-world feedback from the FlexMonkey community and Gorilla Logic's customers.

"We'd evolved the platform tremendously, and with [version] 4.19 we really hit our stride," Gorilla Logic's VP of engineering, Ed Schwarz, told me, "but we also got a lot of feedback about some aspects of it, and we realized that if we were going to take FlexMonkey to the next level, we had to do a bottom-to-top review and come out with a brand new version."

That version, code named "FlexMonkey Reloaded," had been in beta since the beginning of the year. It became the platform's main code base as of August 1.

The list of enhancements in this version is a long one. It includes more robust recording, playback and verification of all Flex UI interactions including mouse, keyboard, drag/drop and timed actions; a new graphical console for creating and editing test suites; assertions to verify results; "wait for" functions for robust interactions with internet services and different-speed devices; the ability to generates ActionScript versions of the tests that can be easily extended with additional control or data-driving logic; and compatibility with unit test suites and continuous integrations environments.

Gorilla Logic is primarily a software services firm specializing in rich Internet applications (RIAs) and enterprise app development with Java, Adobe Flex and mobile platforms. The Broomfield, Colo.-based company was founded by a group of former Sun Microsystems execs back in 2002, but FlexMonkey has only been on the market since 2008. The tool has been downloaded more than 11,000 times since then, so the company's claim that it has become "the de-facto standard in the industry" is more than marketing hyperbole.

The band of founding Gorillas includes Schwarz, who founded the global e-Business consulting organization at Sun; CEO Stu Stern, who ran the Sun Java Center, Sun's global Java professional services organization; and CFO Hank Harris, who directed Sun's Professional Services group, which was responsible for telecom accounts in North America. (And it's really "band." I looked it up.)

"When we were at Sun during those late '90s days, running Java consulting, we had access to a tremendous pool of talent, folks who were excited to work this then-new technology called Java," Schwarz told me. "We were able to hire really strong, experienced developers from all over the country. We still know those folks, and that experience is at the core of what we do here at Gorilla Logic."

In addition to FlexMonkey, the company makes FoneMonkey, a free and open source testing tool for iOS apps. The company recently released FoneMonkey 5; and FoneMonkium, a free Selenium IDE plugin that adds FlexMonkey capabilities to that tool.

"Conceptually they do the same thing," Schwarz explained. "They record and playback user interactions right off the application. Our frameworks live inside the applications, and can get tremendously robust and detailed information to the automation engine. And then they automate out to continuous integration environments so they can form the backbone of the regression test suite."

The company's efforts have been focused, at least in part, Schwarz said, by the founders' belief that automated functional testing is essential for developer productivity.

"Developers end up being able to be bolder, to do more, and to realize the value of Agile methodologies much more strongly when they have that regression-testing safety net around them," Schwarz said. "Because of that, we were driven to develop the open source tools that are central to our strategy."

FlexMonkey 5 is upward-compatible for tests recorded with FlexMonkey 4.1. The FlexMonkey development team intends to support the 4.1.x version for sustaining development for six months. To download a copy of FlexMonkey 5, click here.

Posted by John K. Waters on August 24, 20110 comments


Scala Creator Odersky on Java 7: Higher-Level Parallelism

There's a lot that's new in Oracle's recent release of the Java Platform Standard Edition 7 (Java SE 7), but for Martin Odersky and much of the Scala community, this release is all about its updated concurrency infrastructure -- the new Fork/Join Framework in particular, which was actually part of the JSR-166 concurrent utilities that didn't make it into Java 5 or 6. "This will no doubt further improve the performance of Scala's higher-level parallelism construct," he said in a released statement, "including its parallel collections and actors."

I recently talked with Odersky while he was in Lausanne, Switzerland, where much of the development for his company, Typesafe, takes place. The months-old commercial startup behind the open source Scala project, which Odersky created, and the open source Akka event-driven middleware framework, maintains its official headquarters in Cambridge, Mass.

The multicore support in Java SE 7 will create even more synergy between Java and Scala, he told me. "We're happy about the release in the sense that the Java platform got a much needed update, further improvements in speed, and some core and key libraries for us as well," Odersky said. "most notably the Fork/Join Framework. We have always had actors, which are built on Fork/Join, and which provide a good way to program concurrent software and distributed programs. Since [Scala] 2.9 we also have parallel collections, which are essentially the same collections as the standard collections, which are pretty nice to use. They get lots of accolades from users. And now everything can be done in parallels. Essentially better Fork/Join means faster parallel collections."

Scala, of course, is a general purpose, multi-paradigm language designed to integrate features of OO and functional programming. Odersky's brainchild runs on the JVM and is compatible with existing Java programs.

The Scala community added the Collections API in version 2.8 last year. The framework provided for the first time a "common, uniform and all-encompassing" framework for collection types. "Actors" are Scala's primary concurrency construct (concurrent processes that communicate by exchanging messages).

The Fork/Join Framework is an implementation of the ExecutorService interface that takes advantage of multiple processors. It was created by Doug Lea, the guy behind most of what happens in concurrency in Java, and it's designed for work that can be broken into smaller pieces, recursively. "The goal is to use all the available processing power to make your application wicked fast," reads the Oracle Java Tutorial.

Lea serves on the advisory board of Odersky's company, as does James Gosling (you know: the Father of Java). Odersky describes Typesafe as "the commercial arm of the Scala and the Akka projects."

"We develop the language a little bit, but that's more a community job," he said. "But we have an open source Eclipse IDE that has been progressing nicely, and a type-safe stack that consists of the Scala runtime, the SBT that's the Scala build tool, and the Akka middleware. And we support that stack typically for very large enterprises."

Odersky says the number of Scala users is growing at a slow, but accelerating rate.

"We think we have more than 100,000 [users] now," he said. "Two years ago, Scala started from nothing has gone up steeply since then. Overall my best guess is that we have about 1% of the Java market now, but that's doubling a bit faster than once a year. Once percent doesn't look like much, but when it's doubling every year, it looks pretty promising."

I asked Odersky what he would put on his Java SE 8 Wish List. He said he had two that he was sure wouldn't be fulfilled in the next release: 1) for Oracle to finally update the class-file format. "Even in the pure Java world, you'd have a good motivation to do something about that. But it's even more pressing in Scala, because Scala produces a lot of Closures." 2) a proposal called Public Defender Methods or Virtual Extension Methods, which addresses the problem that, once an interface is published, methods can't be added without breaking it. The proposal would allow for the addition of new methods to existing interfaces, and it would allow the Collections interface to take advantage of Closures.

"But I have to say that what's going to be in Java 8 is perfectly fine," he added. "It will pose no problems for us, and I'm sure we will profit directly from these improvements."

Odersky also said that he, like many in the Java and related communities, is happy to see the end of the deadlock on the Java Community Process.

"Not having a new release out for five years is certainly not something that you want," he said. "It's good that things move forward again. And I do believe that the JVM as a platform has a great future."

Posted by John K. Waters on August 16, 20115 comments


David I: Do Labels Limit Developer Creativity?

My inbox is positively billowing with press releases, product announcements and marketing department communiqués about the cloud. A quick keyword search of last week's pile alone turned up 400 electronic missives containing "cloud" and 175 of which contained "cloud application."

Navigating this e-mail thunderhead put me in mind of a conversation I had with David Intersimone earlier this year. Intersimone is vice president of developer relations and chief evangelist for tool maker Embarcadero Technologies. Better known as David I, he worked for more than two decades at Borland, the company that invented the IDE, then CodeGear, the company that emerged from Borland's decision to shed its tools business. I caught up with my favorite programming guru during his latest trip down under to visit the Australia Delphi Users Group (and to get in a bit of scuba diving in).

Intersimone believes it's time we dropped modifiers like "cloud" and "Web" from the application developer lexicon.

"When something is new, people feel compelled to add a qualifier, descriptor, locator or container around it to set the context," he said. "But eventually, when it's not new anymore -- or meaningful -- do we still need to keep the qualifier? Desktop applications, client/server applications, rich Internet applications, Web applications, cloud applications -- ultimately for the developer, they're just applications."

From a marketing standpoint (or as a way of explaining trends early in their evolution) those qualifiers are understandable, Intersimone allowed, but they're essentially meaningless to developers -- and are potentially limiting.

"As a developer, what do I do?" Intersimone said. "I build a user interface. I might talk to databases. I might use some APIs -- and nowadays I don't care if that API is a Google Maps API, a Facebook API, a Windows API or whatever. All you're doing is calling through REST or HTTP or TCP or calling remote functions, passing parameters in JSON packets and getting data or metadata back. And from a programming standpoint, I don't really have to think, 'oh, I'm building a rich Internet application.' Do I use Silverlight or SVG or Flash... I don't even think about that anymore. They're all just reusable objects and reusable APIs to me."

The result, Intersimone says, is artificial limits that might seep into the developer mindset.

"It's OK to say, 'I'm building a rich application, or I'm building a data visualization application, or I'm building customer billing application.'" "Those can be useful descriptions. But when you add qualifiers, whether its 'cloud,' 'Internet' or 'Web,' it's just about the specification, so somebody knows what it runs on. We don't have to be locked into one way of building a beautiful application. I'm just saying that we should remember that."

Point taken.

David's blog, "Sip from the Firehose," is a worthy addition to your online reading.

Posted by John K. Waters on August 12, 20111 comments


New Java PaaS for Private Clouds, Backed by Father of Java

Java Platform-as-a-Service (PaaS) startup CumuLogic has released a public beta of its flagship offering with the same name that offers application infrastructure software for enterprises, cloud provider and ISVs building and managing Java PaaS in public, private and hybrid cloud environments. The CumuLogic solution is essentially a platform for developing and deploying Java applications in any type of cloud environment.

The CumuLogic PaaS software is designed to provide support for multiple clouds, which makes it possible to support clouds from different vendors at the same time. It currently supports EC2, Cloud.com, Eucalyptus and VMware. The company also expects to add OpenStack to that list soon. The PaaS software allows users to mix-and-match middleware components, which makes it possible to deploy modern applications, including consolidations of legacy Java applications to a single platform. The resulting standardized and optimized application infrastructures, the company says, "provides enterprises with the means to control their IT/application infrastructure, while enabling developers the capability to focus on rapidly developing quality applications."

Cupertino, Calif.-based CumuLogic was founded just a few months ago by former Sun Microsystems employees Rajesh Ramchandani and Laura Ventura. Ramchandani was senior manager of cloud and SaaS ISVs at Sun. Ventura was group marketing manager in Sun's Startup Essentials group. Two other notable Sun veterans, James Gosling, the creator of Java, and Bill Vass, former Sun CIO, are on the company's technical advisory board.

"Today's clouds are complex and all different," Gosling said in a statement about the release. "There is almost no interoperability between cloud providers and between public and private clouds. I'm enthusiastic about CumuLogic's PaaS cloud management solution, as it utilizes the higher levels of abstraction inherent in the PaaS model to reduce the complexity of cloud management, provides targeted facilities for both developers and management, and erases the distinctions between the various clouds enabling transparent interoperability."

CumuLogic is one of the first vendors to offer a full Java PaaS for the federated cloud. Federation connects different clouds and resources according to business and application requirements. The platform automates numerous tasks so that devs can focus on building and deploying applications. It comes with a developer and administration API designed to enables devs to push applications to the cloud and to "expect all the platform service to be available to run those applications." And, at its heart, it is a cloud services catalog -- a repository of infrastructure components (database software, Web servers, app servers, etc.) that have been pre-integrated into the CumuLogic platform. Developers and IT administrators select the components they need from the catalog, eliminating the need to build service images.

"Instead of rewriting applications to fit new platforms and essentially giving up standardized application components, we sought to create a product that would give users the flexibility to keep using those components, from application platforms to databases," Ramchandani said.

The CumuLogic PaaS is available now as beta software pre-installed on Amazon EC2, but it can also be installed on-premise in private clouds. Interested developers can register for the beta on the company's User Registration page here.

Posted by John K. Waters on August 10, 20110 comments