Forrester Research analysts have been talking about "modern applications," a term they more or less coined, for a couple of years now. One of the clearest definitions of a modern app comes from application development and delivery specialist Jeffrey S. Hammond, who listed the qualities of a modern app in a 2013 blog post.
According to Hammond, a modern application is designed to work across a range of devices, from smartphones to desktops (not to mention your car and toaster). They react to multiple modes of input, including voice, touch, and the good old mouse. They're highly elastic and "take advantage of cloud economics." They use open source software. They're API-oriented, built on open web techniques, and use REST, XML, and JSON "to make it easy for all types of devices and clients to easily consume data." They're also responsive, organic, and contextual. (It's well worth reading the whole post.)
Increasingly, the source for this modern species of app is non-traditional developers, he said during a recent panel discussion among in-the-trenches coders.
"Sometimes I feel like I'm living in two completely different markets these days," Hammond said. "There's the market of the traditional IT developer, where we have conversations about whether they're a .NET or Java shop, and whether they're going to release two times this year or three, and how many millions of lines of code they're writing for the middleware they're building on top of these app servers.
Hammond moderated the panel, which was held last month at Telerik's Silicon Valley headquarters in Palo Alto. It featured representatives from Telerik partner organizations who are facing the challenge of bridging the two worlds Hammond described. In keeping with the theme of the event ("Coding Tomorrow's Masterpieces"), Hammond asked the panelists for examples of modern apps they considered to be masterpieces.
Thomas Stein, computer systems manager in the Department of Earth and Planetary Sciences at Washington University in St. Louis, who works in the school's NASA laboratory, pointed to Uber as a modern masterpiece, calling it "an amazing piece of work."
"I've hated the taxi experience my entire life," he said. "Uber puts me in direct contact with the driver, separating out the awkwardness of payment and tipping and all of that, and just really focusing on making me comfortable, giving me what I want, and getting me where I need to be -- with the mobile device is the touchpoint. It's not just the business model; the application is brilliant. I know it's not simple underneath, of course, but it feels simple from the top, and that's essential in a masterpiece."
For Chuck Ganapathi, founder and CEO of Tactile, which makes a mobile CRM app called Tact, it was DropBox. (It was actually his org's app, but they made him name another.)
"To me, a modern software masterpiece is something the users just fall in love with, because it does something simply and it just works," he said. "DropBox has that kind of feel. Suddenly, you have this file that you drop onto your computer and it magically appears on your computer at work."
Krupa Rocks, senior manager in the Clinical Data Systems group at St. Jude Medical, Inc. (not the hospital, but the medical device company), cited Google's driverless car, because it exemplifies the coming tight integrations of hardware and software.
"People don't know how to drive," she said. "Computers can do a better job. If Google can really provide a self-driving car, that would definitely be a masterpiece."
Todd Anglin, executive vice president of Telerik's Cross Platform Tools group, pointed out that modern software masterpieces are being created all the time that most people never see. "Consumer apps get all the attention," he said, "but there are masterpieces out there that never make it to the app store. Working with our customers, we get to see the apps that make business go and help people get their jobs done. When I look at those kinds of applications, it's really clear to me that a software masterpiece is something that evolves over time. That's one of the things that makes it modern."
Not surprisingly, Anglin also argued that modern application development is more dependent than ever on the evolving capabilities of modern tools. (His company is all about the dev tools.)
"We assume now a certain starting point," he said, "and tools are what get us there. They give teams the space to really think about how to define an application elegantly, rather than just 'how do I make this thing work?'"
Long Le, principle and App/Dev Architect at real estate services firm CB Richard Ellis (CBRE) , agreed with Anglin."Picking the right tools at every stage of your ALM process is super important to how fast you can get [the software] out there," he said, "especially if you have limited resources."
Ganapathi added that, for modern apps especially, analytics capabilities that help developers truly understand end users have become critical. "Today, it's all about being very iterative in your development and constantly re-tuning that on a day-to-day basis," he said. "You put something out there, and then observe the data to see how people are actually using it, and then you respond to that. And you don't rely on what they're telling you in user interviews, which is so often very different."
He also pointed to the growing importance of designers in modern app development. "As developers, we've always said to designers, we'll develop it, you just make it look pretty," he said. "That's so wrong! Everybody expects phenomenal design today. If you don't have great designers -- especially when you're thinking about modern mobile apps, let alone creating a masterpiece -- you're screwed."
Rocks added that in her organization, automated testing tools have become fundamental to fast solution delivery. "Developers aren't the best testers," she said. "So testing would become a bottleneck for us without those tools." She also agreed that designers have become essential to the process. "Users may not know what they want," she said, "but they know what they don't want."
Hammond noted that the emergence of such new tools as Grunt and the enormously popular Git could be evidence that classic IDEs, such as Visual Studio and Eclipse, aren't as useful for modern application development. He also suggested that the modern application space has birthed "a new humility" among developers.
The panelists also agreed that modern apps are increasingly being built by those non-traditional developers Hammond mentioned, people with a wide range of skills, from software engineers with computer science degrees to "not developers" in the sales department who rely heavily on tools and frameworks.
And they might even come up with a few masterpieces.
Posted by John K. Waters on 11/12/2014 at 11:14 AM0 comments
Google has petitioned the U.S. Supreme Court to hear its argument against Oracle's now four-year-old claim that 37 Java APIs used in the Android OS violated copyright (details in this report). It's an important question, and in my opinion, one worthy of the high court.
Google's decision wasn't a surprise to Forrester analyst John R. Rymer, who told me he expected the search engine giant to take its case all the way to the Supreme Court if it received an unfavorable ruling at the appellate level. He added that he has noticed "zero impact" on the Java community over the past four years from this "vendor drama."
"If Google wins, the status quo prevails; if Oracle wins, then Google will either have to strip out Oracle-patented IP or pay Oracle for the right to use its IP," he said. "In the latter case, Google will 'own a piece of Android,' a nice position given that Java ME is a nonstarter among smartphone and tablet OSs."
Martijn Verburg, CEO of jClarity, a startup focused on automating optimization for Java and JVM-related technologies, and co-leader of the London Java Users' Group, is also sanguine about the effect of the rulings on the Java community so far.
"I don't think the current ruling was all that bad for the industry," he said in an e-mail. "Although there's a fair amount of FUD about the decision, you can still copy or use appropriately OSS-licensed APIs, which constitute the vast majority of the Java ecosystem, and there's still a strong argument that most folks will be okay under the Fair Use clause (for example, Mono) or the lesser-known 'It's such a small portion of the API, which is okay as well' clause, which would cover a lot of individual developers who are just copying a handful of APIs here and there."
Verburg also believes that there's a general consensus in the Java community that Oracle should come out on top in this dispute. "Java developers in general are (grudgingly in some cases) pretty happy with the way Oracle is treating Java," he said, "even if they've mistreated other OSS communities that they took over from Sun."
The last time I talked with Wayne Citrin, CTO of NetBridge, about this lawsuit, he argued that it would be best for Java -- and Oracle -- if Google wins. He hasn't changed his opinion. "The more people with the opportunity to use Java, in more contexts, can only be good for Java (and, by extension, good for Oracle)," he said. "I can see Oracle's interest in protecting Java from undesirable branching, but I really don't see that as a problem here. If Oracle wins, I see something of the opposite happening. Restricting the breadth of use of Java can't be good for the Java community (and, by extension, for Oracle)."
Citrin added that, although the stakes are highest for the Android community in this case, the wider Java community isn't likely to feel much of an impact, whatever the decision. He said he hasn't noticed any negative effects from the rulings so far. "Maybe that's because most of the Java runtimes that are being used either come from Oracle or come from companies who have gotten their ducks in a row and are okay with Oracle," he said.
A final ruling in Oracle's favor would trouble Miko Matsumura. Now vice president of Developer Relations at Hazelcast, Matsumura has been watching the Java space since he served as chief Java evangelist at Sun Microsystems in the late '90s. He agrees that there might be value in protecting some APIs with explicit licensing terms, but he sees merit in Google's argument about stifled innovation.
"The software industry today has been a thriving wellspring of innovation and competition based on [Bill Gates'] 'embrace and extend' and [Sun CEO Scott McNealy's] 'open interfaces, compete on implementation.' The inherent danger in siding with Oracle on this is that it creates a huge liability on existing software that would stifle creativity and innovation and shift billions of dollars away from software engineering towards software IP litigation."
IDC analyst Al Hilwa believes that copyright protection of 95 years (which was established by Congress for corporate authorship in 1998) is far too long. But he's not so sure about the argument that copyrights stifle technology innovation. "I think there is always a tension between unadorned innovation and breaking the rules," he said, "and we are always navigating this tension. If we could share everything without patents or copyrights, no doubt things would move faster, but there has to be a balance, and the sheer velocity of innovation is not always an absolute value held by everyone. It is up to the courts to navigate this balance."
Given the times we live in, the long "vendor drama" has seemed a strange affair to Dana Gardner, principal analyst at Interarbor Solutions.
"At a time when there's clamor for the removal, or at least reform, of patents on software, it's ironic and archaic that copyright is being invoked to keep open source software code under long-term commercial control," Gardner said. "Seeing as Java was touted as 'open source' under Sun's last gasps, and Oracle could not thwart Google's clean-room implementation of a Java runtime for Android -- it's apparent true goal -- copyright always seemed like a Hail Mary affair in the Java case."
Gardner believes the Supreme Court should hear this case, because of the opportunity it presents to settle some important questions. "The U.S. Supreme Court could now use this case to make some bold and needed determinations about real-world software use, and modernize and bring clarity to its common sense rights and extension," he said. "That would bring long-needed improvement to the software intellectual property morass, and could quickly jump-start software innovation and remove the cloud of uncertainty over software ownership and rights in general."
As I said, I believe that the question of whether foundational code can be copyrighted is worthy of consideration by the high court -- or rather, a high court. I'm not so sure about this one. Our judiciary, in general, isn't tech savvy enough. The striking exception of U.S. District Judge William Alsup, who felt that it was so important to understand the technologies involved in the Oracle v. Google case that he actually learned to write Java, makes his peers look like Luddites. And most of the members of our current high court are decades behind the times. According to the AP, a relatively tech-savvy Supreme Court Justice Elena Kagan has said her fellow justices don't even use e-mail.
Posted by John K. Waters on 10/17/2014 at 1:05 PM0 comments
Oracle and the Java community made relatively few new announcements at the annual JavaOne conference last week, but a number of Java vendors did. Three announcements from local companies stood out for me at this year's show:.
Hazelcast, the Palo Alto, Calif.-based provider of an open-source, In-Memory Data Grid (IMDG) solution by the same name, made big news at the show with the launch of its JCache implementation. Hazelcast 3.3.1 JCache, which is the JCache-compatible version of Hazelcast, is now drop-in "pin compatible" with Oracle's Coherence IMDG and Ehcache. Hazelcast CEO Greg Luck wrote the latter, which is one of the most widely used open-source Java caching solutions. Luck is also a co-author of the JCache spec, along with Brian Oliver, who architected Oracle Coherence. Coherence, Ehcache, and Hazelcast are the only JCache implementations currently available.
The JCache project was the longest running Java specification request (JSR) in the history of Java and the Java Community Process (JCP) until it earned approval in March. JSR-107, the spec request for Java Temporary Caching API, specified the semantics for the temporary, in-memory caching of Java objects. The JSR languished for years until Terracotta and Oracle began funding it recently. Terracotta is probably best known for its commercial development of Ehcache.
Mountain View, Calif.-based Coverity launched the free beta of its new cloud-based service for Java developers at the show. The new Code Spotter service, which is built on Coverity's static code analysis platform, is designed to help developers find difficult-to-detect defects in Java code. The service allows Java devs to upload their source code to the cloud, where it is analyzed for known issues in Java code bases, such as resource leaks, race conditions, concurrency issues, and null pointer dereferences. With this new service, the company is "democratizing access" to its testing solution, the company said.
Coverity, which is a subsidiary of Synopsys, launched a "developer-first security" effort last year, during which it began promoting the idea of putting security into the hands of developers. In January, the company released a new version of its dev/test platform that provides Java developers with expanded coverage for the Open Web Application Security Project's (OWASP) Top 10 and Common Weakness Enumeration (CWE) security vulnerabilities in Java apps. The open-source OWASP identifies 10 of the most critical Web app security risks each year. The CWE is a community project sponsored by the Mitre Corporation to create a catalog of software security vulnerabilities.
Software build and distribution company JFrog launched a new commercial version of its Bintray open-source distro platform at this year's show: Bintray Premium. Bintray, which won a Duke's Choice Award last year, is a cloud platform for developers who want to store, publish, download, promote, and share software. (In other words, all of them.) The San Francicso-based company's commercial version supports "premium repositories," with unlimited storage and downloads, full download stats, access control, and download tracking, among other features.
BTW: The company won a Duke's Choice in 2011 for its Artifactory binary repository manager.
Posted by John K. Waters on 10/07/2014 at 11:45 AM0 comments
Is it possible that Larry Ellison's decision to step down as CEO of Oracle will mean we actually see more of him? He has made two appearances so far at the annual Oracle OpenWorld conference in San Francisco this week under his new titles of Executive Chairman and Chief Technology Officer. Last year he bailed on his conference keynote to focus on the America's Cup, during which Oracle Team USA was staging an admittedly thrilling comeback. Attendees who traveled from...well, everywhere....and paid to see the guy were not sympathetic.
Ellison started his afternoon appearance yesterday with what amounted to an apology for his absence last year, and then launched into his familiar get-through-this-and-kill-'em-with-numbers pace. But then he slowed down, joked with the crowd, and worked his way amiably through a couple of demos.
"Because of my new job as CTO, I gotta do my demos by myself," he said. "Almost nobody works for me anymore." He hastily added, "I love my new job, by the way."
Maybe it was the V-neck sweater and slacks, but Ellison seemed to relax into his promised drill down on Oracle's platform-as-a-service (PaaS) offering. During his demo, he showed how users could migrate an on-premises Java application to Oracle's cloud database and WebLogic server. It took a bit more than the "push of a button" he'd talked about during his Sunday keynote opener, but not much.
Oracle continues to bet big (if a bit behind the competition) on the cloud. On Sunday, Ellison touted his company's upgraded cloud platform as an all-in-one environment for running apps and data, and for building out new apps as customers move to the cloud. The Oracle offering includes a "massively upgraded" PaaS featuring Oracle Database 12c; infrastructure-as-a-service (IaaS); and rapidly growing software-as-a-service (SaaS). The company claims to have picked up more than 2,100 new SaaS customers over the past year. "We have by far the largest portfolio of cloud applications of anybody," Ellison declared. "We built a lot more in 2014. We bought a lot more in 2014. We definitely had a build-and-buy strategy."
Ellison sounded like his old trash-talking self on Sunday as he took swipes at the competition, including SAP, Amazon, Workday, and Salesforce.com. He singled out SAP, which recently bought Concur Technologies, a travel and expense software provider, in a deal worth $8.3 billion. He focused on the company's Hana in-memory computing platform.
"I'm going to try to be nice," Ellison said. "But it's so hard. I have no idea what runs on Hana. It's rude but it's the truth. And it's kinda funny. What cloud? Let's just talk about Earth."
He also took a shot at Salesforce.com. Oracle is the only cloud vendor that "lets you use the same platform it builds on to extend cloud apps," he said, while Salesforce.com uses the Oracle platform to build its apps, and then relegates its customers to extending apps with its proprietary Force.com and Salesforce1 platforms. Still, he allowed that Salesforce "is the best of the rest, because at least they have a platform. The other guys… they don't even have a platform. It's missing in action."
Hard to believe Ellison is now 70 years old, and even harder to imagine the hyper-competitive exec slowing down. Forbes just published its annual list of the 400 Wealthiest Americans, and Ellison came in third, behind Warren Buffett (second) and Bill Gates (first), and just ahead of the Koch brothers. What do retirees do when they're worth $47.6 billion?
Of course, Ellison isn't retiring, is he? There's a reason we're not hearing much "end of an era" talk around his move. He's not actually leaving the company he co-founded. He's not even stepping away from day-to-day involvement in the company's operations. He'll be free of some responsibilities; Safra Catz will continue to look after manufacturing, finance, and legal operations, and Mark Hurd will continue managing the company's sales, service, and global business units. But Ellison is now head of engineering and product development, so he'll still be working with Hurd and Catz -- my guess is, closely.
I asked OpenWorld attendees what they thought about Ellison's decision to step down from the big chair. Several said they thought it was a smart move that freed Ellison from some responsibilities without reducing his influence. "Let's face it, how would a person who is both the CTO and Chairman of the Board of a tech company not tell the CEOs where the company is going or should go?" said attendee Keith Gapol, IT associate at Agilent Technologies. "He will still be driving the development direction of the company."
I also heard comments like this one from an attendee from the UK: "Oof! I've had enough of that man!"
Most of the people I talked to were unphazed by the Oracle executive shuffle. A developer who flew in for the event from Boston summed up what I found in my unscientific survey to be the prevailing opinion: "I don't think it'll make that much of a difference," he said. "I mean, he's not really going anywhere, is he?"
Posted by John K. Waters on 10/01/2014 at 2:08 PM0 comments
It's time again for the annual JavaOne gathering of Java jocks in San Francisco for a week of drink…I mean, learning and networking. I kid, but that's because the anxiety over how well this touchstone event would weather its assimilation by Oracle OpenWorld has largely dissipated. For all intents and purposes, JavaOne continues to survive with its identity intact.
The primary venues for this year's event, which runs from Sept. 28 through Oct. 2, are the Hilton San Francisco Union Square and the Parc 55 Wyndam, but some related events are scheduled for the Nikko Hotel. (My feet ache already.) The annual Strategy Keynote is set for Sunday afternoon at the north hall of the Moscone Center, the event's former home. The usual suspects will be on hand: Georges Saab, Peter Utzschneider, Cameron Purdy, and John Duimovich. Mark Reinhold will again give the Technical Keynote. The Community Keynote is set for Thursday morning.
I'm especially excited about the NetBeans Community Day 2014 (Sunday, September 28), which throws a spotlight on one of the least talked about and yet most popular Java IDEs. Rather than individual presenters, the NetBeans Day sessions will take the form of moderated panels of experts, including some genuine Java rockstars. The father of Java himself, James Gosling, will be there, moderating a panel focused on how they use the editors, debuggers, and profilers from NetBeans (which Gosling has called his favorite IDE) to program and interact with devices. (Expect some insights into Gosling's recent passion: sea-going robots.)
NetBeans Community Day has a lineup of six panel sessions offering real-world stories and demos of NetBeans new features in action, presentations about developing Java EE apps with Maven, talks about working with free Java tools, and a discussion about teaching with free Java tools. Session presenters include speakers from Jelastic, ZeroTurnaround, Codename One, VMware, QAware, Boeing, Kodewerk and JClarity, among others.
Among the rumored announcements I'm the most curious about is some news expected from the Eclipse Foundation about an Open IoT Stack for Java. The Foundation has been working for a couple of years now on its Internet of Things initiative, first focusing on M2M, and then expanding to include the broader IoT. The Foundation will have a booth at this year's show, where reps will be demoing some of the projects from that initiative, Ian Skerrett promised in a recent blog post. He also listed a number of Eclipse-related talks scheduled for this year's show. Lots of IoT stuff in there, but also Java 8, JavaFX, Eclipse Luna, the cloud and Java EE.
If you needed proof that IoT has graduated from buzzword to serious software category, look no further than all the sessions in the JavaOne IoT track. It's a long list, covering topics ranging from OSGi-based architectures to Gosling's robots. Need more? IoT will figure prominently in James Weaver's community keynote on Thursday, he said in a short conference page Q&A. Weaver is a Java developer, author, and consulting member of Oracle's Technical Staff. He has, the post observed, "a passion for Java, rich-client applications, and the Internet of Things (IoT)."
I'm also interested in what I think is a new addition to the conference floor: a Meet the Experts area, which was mentioned in a recent post on the Glassfish blog: The Aquarium. It's described as "a designated space in the JavaHub where most of the Specification Leads will be present at a dedicated time." Could be a mob scene; could be a golden opportunity to get some face time. Oracle's Java EE Evangelists and Heather VanCura from the JCP will also be there.
One obvious advantage of the Oracle connection is the "attendee appreciation" events, which this year include geezer rockers Aerosmith, millennials fav Macklemore and Ryan Lewis, and the Brit band Spacehog.
Remember: learning and networking.
Posted by John K. Waters on 09/24/2014 at 9:21 AM0 comments
Ian Skerrett is probably best known for his role at the Eclipse Foundation as vice president of marketing, but for the past two-plus years he's also been leading the Eclipse effort to foster an open-source community around the Internet of Things (IoT).
"If you look at the Internet today, it's run on open source," Skerrett told me. "Linux, Apache and open standards like HTTP are the building blocks. If we're really going to get an Internet of Things, we need a set of core building blocks that anyone can use to develop commercial or internal solutions."
Eclipse IoT now includes 15 projects collectively aiming to reduce the complexity of developing IoT/M2M solutions. Most of the Eclipse literature on this initiative uses that "IoT/M2M" label, because machine-to-machine communication is where it all started, and because it continues to be an essential part of IoT. But is IoT more all encompassing, which, Skerrett says, is what makes developing IoT solutions so challenging.
"To put together an IoT solution today, you need people who understand gateways and networks, but also enterprise systems, data analytics, integration with ERP or CRM systems," he said. "There's some daunting complexity here, but we know that when you create frameworks and abstraction levels in software, it becomes much easier to put together these types of solutions."
The mission of the Eclipse IoT initiative is to establish an open IoT/M2M platform that comprises a set of services and frameworks, open-source implementations of standard protocols, and an Eclipse-based IDE for simplifying IoT/M2M development. The current list of projects likely to become part of that platform includes the Paho Project, which provides scalable open-source client implementations of open and standard messaging protocols for IoT/M2M apps. That list also includes several frameworks: Kura, which is a set of Java and OSGi services commonly required for IoT gateways (I/O services, data services, cloud services, networking, etc.); Mihini, which is an open-source framework written in the Lua scripting language; OM2M, an open-source implementation of the ETSI M2M standard; and the Wakaama Project, which will provide a C portable framework for building LWM2M clients and/or servers.
There's also SmartHome (named by Captain Obvious), which is a framework for building smart home solutions; Eclipse SCADA, which the Foundation describes as "a way to connect different industrial devices to a common communication system and post-process, as well as visualize the data to operating personnel;" and the Sandbox LWM2M Server, which provides a Web UI and a REST API to enable interaction with the registered clients. Koneki is an M2M developer tools project that's using Lua as its primarily programming language.
Eclipse IoT's protocol efforts are focused on providing open-source implementations of Message Queuing Telemetry Transport (MQTT), which is designed to connect "physical world devices" and networks with applications and middleware; CoAP (Constrained Application Protocol), which is a protocol specialized for use with constrained nodes and networks; and OMA LightweightM2M (LWM2M), which is an industry standard for device management of M2M/IoT devices.
A complete list of Eclipse IoT projects is available on the Foundation Web site here.
Even better, Skerrett will give attendees of our upcoming App Dev Trends 2014 Conference in December an in-depth look at the Eclipse IoT initiative and discuss the and the role of open source in the evolution of the Internet of Things.
Posted by John K. Waters on 09/17/2014 at 10:11 AM0 comments
There's a difference between a bug and a flaw, and an impressive group of software security mavens thinks it's time to pay more attention to the latter. To shift some of the industry's focus away from finding implementation bugs and toward identifying common design flaws -- "the Achilles' heel" of security engineering -- the IEEE Computer Society has formed the Center for Secure Design (CSD).
The CSD grew out of a foundational workshop, held in April, which brought together software security experts from industry, academia and government to talk about the problem of secure software design. Among the 10 workshop participants were representatives from Twitter, Google, RSA, Intel and Harvard University.
Gary McGraw, CTO of Cigital, hosted a soirée at the Cantina art bar in San Francisco to launch the CSD and to generate interest in its mission. McGraw was among the original workshop members. "The price of admission was a bag of flaws -- a real bag of flaws -- from your practice," McGraw told attendees. "We dumped them all on the table and picked the tallest 10 piles."
That mission, by the way, is to "gather software security expertise from industry, academia and government" to provide guidance on "recognizing software system designs that are likely vulnerable to compromise" and "designing and building software systems with strong, identifiable security properties." And those 10 piles led to the publication of an inaugural CSD report, "Avoiding the Top 10 Software Security Design Flaws."
McGraw, who is author of numerous books about building secure software, called finding and fixing design flaws "the hardest problem that nobody has solved."
"Software security has grown into a $7 or $8 billion industry, and it's continuing to grow very fast," he told me. "But the field seems to be myopically focused on bugs and hackers. And yet, from a technical perspective, half of the problem is a design problem. We're hoping to shepherd the field in the right direction."
The CSD is part of a larger IEEE cybersecurity initiative launched this year "with the aim of expanding its ongoing involvement in cybersecurity." Jim DelGrosso, principal consultant at Cigital, will serve as the CSD's executive director. One of the problems the group will address, DelGrosso said, is the relative opaqueness of the work being done on design flaws.
"We've known about these things for a decade or three," he told attendees, "and yet the problems persist. We also know that this work is being done, but much of it is being done internally, so it's not available to the public. One of the goals of the CSD is to change that. We want people to stop making these mistakes."
Google information engineer Christoph Kern shared an example of such internal work from his own company, where he has been developing Web application frameworks that make it hard for developers to introduce cross-site scripting bugs. One team that adopted the frameworks saw a marked reduction in their bug-tracker stats. "There's a real connection between bugs and design-level considerations," he said.
Here's the list of initial participants in the Center for Secure Design:
- Iván Arce, Sadosky Foundation
- Neil Daswani, Twitter
- Jim DelGrosso, Cigital
- Danny Dhillon, RSA
- Christoph Kern, Google
- Tadayoshi Kohno, University of Washington
- Carl Landwehr, George Washington University
- Gary McGraw, Cigital
- Brook Schoenfield, Intel/McAfee
- Margo Seltzer, Harvard
- Diomidis Spinellis Athens University of Economics and Business
- Izar Tarandach, EMC
- Jacob West, HP
Here are those top 10 security design flaws; each one is fleshed out considerably in the CSD report:
- Earn or give, but never assume, trust
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorize after you authenticate
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources
- Define an approach that ensures all data are explicitly validated
- Use cryptography correctly
- Identify sensitive data and how they should be handled
- Always consider the users
- Understand how integrating external components changes your attack surface
- Be flexible when considering future changes to objects and actors
Posted by John K. Waters on 09/02/2014 at 6:43 AM0 comments
There's nothing like seeing the final agenda go up on a Web site to drive home the reality that you're chairing your first technology conference.
Fortunately for me, that agenda -- the one for our first ever App Dev Trends conference coming in December in Las Vegas -- is filled with workshops and sessions led by some of my favorite enterprise software experts, industry mavens, market watchers and serious codederos. I might be as nervous as a nerd at the prom about stepping onstage in my chairing duties (man, that simile brought up some bad memories), but I couldn't be more relaxed about our kick-ass presenter lineup.
I'm very excited, for example, to have David Intersimone (better known as "David I.") speaking at the show. Intersimone is vice president of developer relations and chief evangelist for toolmaker Embarcadero Technologies, and he's a programmer's programmer. He worked for more than two decades at Borland, the company that invented the IDE, then at CodeGear, the company that emerged from Borland's decision to shed its tools business. David will be presenting two sessions: "Integrating Devices and Gadgets into Your Enterprise" and "Clouds: The Final Frontier – Integrating BaaS into your Enterprise Apps."
We also have one of my all-time favorite conference keynoters, Miko Matsumura, leading a session. He's now vice president of developer relations at Hazelcast, the open source in-memory data grid company, but I first saw Miko when he served as chief Java evangelist at Sun Microsystems in the late '90s. (Back when he had shoulder-length hair!) He was one of the most visible spokespeople for Java back then, and a member of the team that popularized the Java platform among developers. In his session, "Elastic Application Performance Market View," Miko will examine the dizzying array of options available today for architecting scalability into applications from Day 1.
When Dr. James McCaffrey, a popular veteran of 1105 Media's Visual Studio Live! conferences and Visual Studio Magazine columnist, responded to my e-mail pestering by saying that he might have a totally new tool to present at our show, and that this tool was designed for developers interested in neural networks, I swallowed my gum! You've probably heard about Microsoft's new cloud-based machine-learning tool, Machine Learning Studio, the beta of which was unveiled in July. His presentation is titled: "Understanding Neural Networks Using Python." McCaffrey, who works at Microsoft Research, promises that attendees will come away from his session with an in-depth understanding of neural networks -- and to include one of the first public demos of the new Machine Learning Studio.
I am also very excited about Ian Skerrett's session, "Introducing Eclipse IoT: Accelerating IoT Development." Over the past two years, the Eclipse Foundation has been developing a community of open source projects for Internet of Things developers. That community now comprises 15 different projects, and includes implementations of popular IoT standards, such as CoAP, MQTT, and Lightweight M2M. Ian is the man who has been leading the effort to build that community. He will be talking about the project itself and how to use the technologies it encompasses to get started building IoT solutions.
One of my favorite tech industry watchers, Theresa Lanowitz, founder of voke inc., is also presenting at our show. Her official bio says that she's widely recognized as "a strategic thinker and influencer in the application life cycle, virtualization, cloud computing, and convergence markets." I usually hate to use PR-speak, but that line is right on the money. Cool tidbit from that bio: She worked on the original JBuilder IDE. I've interviewed Theresa many times, and I'm looking forward to both of her sessions: "Extreme Automation: Software Quality for the Next-Generation Enterprise," and "Software Quality in the Sound Bite Era."
And our own Agile Architect, Dr. Mark Balbes, will be among the speakers kicking off the show with his session, "The State of Agile." Mark will be talking about the evolution of Agile -- what works, what doesn't and where the Agile movement might be heading in the future. He'll also be there to wrap things up with our closing panel, "Agile Techniques and Best Practices," which will feature Mark, Matt Philip and Jason Tice, the Three Agilistos from our popular summer webcast. I'll be moderating this panel, so it'll be worth attending for my embarrassing gaffes alone.
It's no exaggeration to say that this is just the tip of the iceberg. This is our first-ever ADT-branded event, and we went all out to put together what I believe is a killer agenda with sessions focused on the enterprise developer. App Dev Trends 2014 runs Dec. 8-11 at the Mandalay Bay Resort and Casino in Las Vegas. Hope to see you there!
Posted by John K. Waters on 08/20/2014 at 3:25 PM0 comments
Java toolmaker ZeroTurnaround's software release automation tool, LiveRebel, is a little less live than it was a week ago. The company pulled the plug on the three-year-old sibling of its JRebel JVM plug-in (and newly birthed XRebel Java profiler). Company founder and CEO Jevgeni Kabanov, delivered the news in a blog post, though he says customers were contacted before he posted.
I caught up with Kabanov via Skype in Estonia, where his company is headquartered, to ask him about it. He said there just wasn't enough of a mid-range release management market to sustain the product.
"LiveRebel was aimed at the mid-market," he said. "That's a few dozen up to a couple hundred servers. But most of our competitors were going after customers with hundreds to thousands of servers. We just felt that there was a significant opportunity cost for going after that market."
Another problem, Kabanov said he believes, is that there is no agreement currently on exactly what a "release management" product should do -- especially within the context of a rapidly evolving of DevOps and continuous delivery movements. But perhaps more important, whatever release management is, it doesn't currently seem to be at the top of ZT's customers' to do lists. In his blog post, he put it this way: "Release management provides little value if you don't have automated builds, provisioning, and a well-defined release process, and unfortunately most potential customers would have none of those."
"It was a tough decision emotionally, but from a business perspective, it was quite straight forward," he said. "For now, we're continuing to focus on the developer tools market, which is our strength. But we're not closing any doors on what we might do in the future."
LiveRebel 1.0 was released in May 2011 after about three years of development "in the far northern country of Estonia as an attempt to re-invent product updates." The final version, 3.1, was released last month. Kabanov said active customers would be getting refunds and support and help migrate off LiveRebel until August 2015.
The Tartu, Estonia-based company is probably best known for its JRebel plug-in, which integrates with the Java Virtual Machine (JVM) and app servers on the class loader level, and allows developers to make on-the-fly code changes in Java class files. In June, the company released an interactive Java profiler called XRebel. The company also operates a research and content organization, Rebel Labs, which publishes free, vendor-neutral technical resources.
Posted by John K. Waters on 08/13/2014 at 4:34 PM0 comments