2016 Dev Predictions, Part 2: Cognitive Computing, IoT, Cloud, More

We're only a month into 2016 and it's already shaping up to be another lively year for enterprise developers. Mobile, cloud, DevOps, IoT, microservices, the API economy, cognitive computing, virtual reality -- all are reshaping organizations in fundamental ways, and it looks like devs are going to have a large role to play in that change.

Analyst Clive Howard, who keeps an eye on the mobile and IoT space for UK-based Creative Intellect Consulting, expects 2016 to be the year most companies figure out what all this stuff actually means for their businesses. Projects that have hovered mostly around the edges will find their way into the heart of the enterprise, and a few -- IoT, cognitive computing and cloud -- will mature as a "progressive few" organizations "begin to shape them into exciting new products that will start to appear in 2016 but really emerge in 2017+," he said.

Howard also expects IoT to continue to pull in developers, both consumer and enterprise, with the action heating up on the enterprise side. Mobile B2B and B2E (Business to Employee) will grow significantly, he said, which means and more developers within organizations will be involved in mobile—which means lots of people are going to have to buff up their skill sets.

Meanwhile, non-developers are likely to be more involved in enterprise development, Howard predicts, via so-called low-code tools and services. Given the current skills shortage, it's likely that companies will create strategies that embrace these non-developers, he said.

The coming year will not, however, see the hype around connected cars and wearables live up to the reality, he said. "I think there will be little activity [around connected cars] outside of those already involved in the car industry," he said. "Cars are probably heading to the top of the hype bubble. And wearables will go nowhere in 2016, certainly in terms of the consumer. Industrial use cases may see some interesting developments, but not at significant scale."

Another UK-based analyst, Gartner's Gary Olliffe, sees the growing interest in microservice architectures as something of a harbinger, signaling a rediscovery of the value of service orientation. "Enterprise developers are waking up to good old fashioned architecture principles that aren't new," he said. "Microservices are a kind of beacon, showing them the benefits of those principles and how they can apply them to their own work.

"Developers are excited about microservices, because they allow them to simply their development stack, chose optimal technology, and not have bloated middleware forced upon them," he added.

Microservices have gained enough mindshare that even though most organizations are not trying to, say, replicate a Netflix-style microservice architecture, they're learning from that example, and feeding that knowledge back into the business, Olliffe said. In 2016 microservices will have an impact on most enterprises delivering anything that needs to be exposed or managed as a service, he said,

One bump on this particular road: no true microservice platform. "The tools to help you get your feet wet are easily accessible, and have become more so in the past 18 months," he said. "But the vendors have yet to step up and really provide a true microservice platform for developers. We're not seeing what you might call the next generation of app servers, the platforms onto which I deploy my units and which handles all of the complexities of the outer architecture."

Microsoft's Azure Service Fabric comes closer to providing more rapid developer productivity in that environment, Olliffe said. But to actually manage and operate tens or hundreds of instances of multiple microservices in production is a whole different game, he said. The app lifecycle teams that increasingly include coders, integrators, architects, operations, and QA, have yet to really get their arms around these environments, he said.

Microservices are poised on the edge of the phase of Gartner's hype cycle known as "The Trough of Disillusionment," Olliffe said, which follows "The Peak of Inflated Expectations." During this phase, people focus on a technology's shortcomings and limitations, and a few products fail. But he expects developers to dig in and figure out what really works, prompting speedy progress to the "Slope of Enlightenment," followed by the "Plateau of Productivity."

You can read more about microservices in Part 1 of this series ("2016 Dev Predictions, Part 1: DevOps, APIs, Microservices, More"), and I'll soon share additional observations about the year ahead in Part 3 ("2016 Dev Predictions, Part 3: Mainstream Microservices, Reactive Streams and Containers-as-a-Service.")

Posted by John K. Waters on January 29, 20160 comments

Declining Interest in Java EE Doesn't Mean Java Is in Decline

As we reported earlier, Java won TIOBE's annual popularity contest for 2015, and came in a close second among languages used on GitHub, even though everybody and his brother seemed to be predicting Java's decline last year. This is why covering this beat often makes my head hurt. How can Java be on its way out when it's more popular than ever?

Turns out, you could argue that both are kinda true.

"We have seen a decreasing focus on Java EE," Gartner analyst Mark Driver explained. "Very few of the companies I talk to are doing new Java EE projects. They're using lighter versions, doing a lighter stack. But you shouldn't confuse Java EE with Java. In the enterprise today, it's about Java SE. Java SE 8 was probably the most innovative change we've seen in Java in 20 years. At the same time, we're seeing growth in Java-VM-based languages, like Scala and Groovy. If you're just watching the sexy stuff -- the cloud, IoT, microarchitectures, containers -- you could miss that Java and .NET are the only enterprise platforms with real breadth and depth today."

Gartner's Pace-Layered Application Strategy provides a nice framework for understanding what's going on here. Introduced in 2012, the strategy is a methodology for categorizing applications and developing a differentiated management and governance process that reflects how they are used and their rates of change.

The strategy defines three application categories ("layers") to distinguish app types: Systems of Record, which refers to established packaged applications or legacy homegrown systems that support core transaction processing and manage the organization's critical master data; Systems of Differentiation, which refers to apps that enable "unique company processes or industry-specific capabilities;" and Systems of Innovation, which refers to new apps built on an ad hoc basis to address new business requirements or opportunities.

"I have seen a remarkable decline of Java in Systems of Innovation," Driver said. "This is the next-gen, high velocity stuff -- areas where people have turned to alternative technologies, like Node, JavaScript, Ruby, and Python, and at the bleeding edge, Golang. But Java still retains extremely heavy control over Systems of Differentiation. The more mission-critical, larger scale projects are still being done in Java. I talk with clients all the time who say, we built the prototype in Ruby or Node, and then when we had to scale it, to implement it in the real world, we turned to Java."

The high-profile of the innovative stuff has led a lot of people to assume that there has been a decline in the use of Java in the enterprise, Driver said, in spite of that data that clearly shows that it is not.

"When I look at the data -- when I look at GitHub and StackOverload, at all the books being published -- it shows that Java is still firmly entrenched as the No. 1 development tool in the world."

And yet Driver allows that a decline is almost certainly in Java's future, or perhaps it's more accurate to say, an evolution.

"The very definition of what we call Java is changing," he said. "In the old days it was understood that what we meant when we said 'Java' was the APIs, the SDKs, the VM, and the language. Nowadays, there's as much or more open source being done with the traditional Java blueprints. There's are four or five real languages with real work loads now on the VM. So the VM is a piece that is still consistent. There's a lot of variation on that theme."

And then, there's Jigsaw in Java 9, which will modularize Java, and turn it into more of a family of technologies that will increase complexity, but also flexibility.

Driver also believes that part of cause of the contradictory perceptions about Java over the past year has to do with its age. The venerable mostly-OO language turned 20 last year, which is an eternity in distributed computing. Many developer, especially elite developers, might simply want to move on to something else. But for enterprise computing today, nothing else exists that provides the same functionality as Java.

Posted by John K. Waters on January 27, 20160 comments

2016 Dev Predictions, Part 1: DevOps, APIs, Microservices, More

My annual, informal survey of industry watchers about challenges and opportunities for enterprise developers in the coming year led me this year to a group of Forrester analysts (Jeffrey S. Hammond, Kurt Bittner, John R. Rymer, Diego Lo Giudice, Jost Hoppermann, John M. Wargo, Randy Heffner and Michael Facemire) who made some predictions back in November in a must-read report, "Predictions 2016: Modern Development Goes Mainstream").

The report covers such trends as continuous delivery, DevOps, composable apps, microservices and API management -- all of which have been the province of bleeding-edge enterprise appdev-and-delivery teams, but which may now be going mainstream. I caught up with two of the report's authors, Jeffrey S. Hammond and Randy Heffner, and talked with them via e-mail about what they see on the horizon for enterprise developers.

One of the biggest challenges facing the industry in the coming year, Hammond told me, will be a dearth of JavaScript developers with experience building microservices architectures and using public cloud services. "Everyone wants these folks," he said, "and can't find them."

This will also be the year of "making things work" for IoT, he said. "Everyone 'knows' it's going to be big, but we still have to write the code and connect the things. We'll see some cool successes, while a lot of folks struggle, because IoT dev is harder than IT or mobile dev -- the 'ilities' are trickier. The cloud players will benefit as the stand-up IoT services that are 'good enough' for most developers to deal with the complexity."

Hammond also expects real opportunities for developers to emerge this year from the much-hyped virtual reality and augmented reality markets. That would be my prediction, too, given the growing and intense interest in AR/VR among so many big players (Google, Facebook, Microsoft, Samsung, and even Apple). Hammond expects to see "a strong focus on the next generation of AR/VR technologies" in 2016.

"We're gearing up for the Oculus," he said, "and I think folks have almost forgotten about Glass. And then I'm expecting big Hololens progress at [Microsoft's Build 2016 conference] in March. So, in the space of three months, we could see three major players vying for devs' attention with AR/VR devices."

Heffner underscored a couple of the report's predictions. One of the most intriguing: "A broader API conversation drives a better understanding of API strategy."

Everyone has been focused on APIs for mobile and open Web APIs, he observed, but that's likely to change this year as "a greater industry focus on B2B APIs and internal APIs for more than mobile will drive an increase in the proportion of well-rounded API strategies." In short, that conversation will be about the value APIs deliver to the business. And it will be developers who inject "API thinking" into business strategy, he said. His advice: "As AD&D pros identify APIs for point solutions, they should consider not just their immediate need, but also how each point solution contributes to their organization's evolving portfolio of APIs. They should understand the different types of APIs -- business APIs, UI-layer APIs, and more -- and craft design guidance appropriate to each type.

Heffner also pointed to the report's conclusion that developers will probably be leading much of this change in 2016. They should, in fact, make a point of lending their deeper understanding of APIs to execs to get them up to speed on how business APIs open broad access to core business capabilities and have the potential to "open new lines of business and new angles into delivering their current business strategies," he said.

The growing adoption of what Forrester calls "agile-plus-architecture" in the coming year is also going to demand new leadership from AD&D pros, he said. They are likely to find themselves working with their "architecture counterparts" to develop organizational structures and processes that bring "streamlined, collaborative architecture practices into their Agile and continuous delivery streams." He added: "If architecture teams are not there yet, AD&D pros should help bring them along by inviting collaboration at key points in their delivery processes."

There's lots more in the report, which I highly recommend.

And there's more coming in this space on what's in store for developers in 2016. I talked with lots of insightful observers this year, so stay tuned for Part 2 ("2016 Dev Predictions, Part 2: Cognitive Computing, IoT, Cloud, More") and Part 3 ("2016 Dev Predictions, Part 3: Mainstream Microservices, Reactive Streams and Containers-as-a-Service").

Posted by John K. Waters on January 22, 20160 comments

Google Is Smart to Leverage OpenJDK

The impact of Google's decision to use Oracle's OpenJDK in upcoming versions of its Android OS remains to be seen, but reaction to the news in the tech community has been cautiously optimistic.

RedMonk analyst James Governor's take was typical: "[A]fter a long hiatus, Java is finally improved with some significant new functionality -- notably lambdas in Java 8," he observed in an e-mail. "Java, the language, still has strong legs, as RedMonk data clearly show, and it makes sense for Google to embrace that ecosystem's ongoing strength. OpenJDK has made considerable progress as a community and codebase, so why not tap into that momentum?"

IDC analyst Al Hilwa viewed the decision as a smart one, with the potential to help Google in its legal struggles with Oracle: "In one move, Google is able to make Android more compatible with Java, reduce its software development costs by leveraging OpenJDK, and potentially reduce future penalties in case its use of the Java APIs that are the subject of the lawsuit are not found to be fair use," he said.

The two companies have been fighting in the courts since 2010, when Oracle sued Google, claiming that the Internet search giant infringed on patents associated with the Java Platform in Android. Five long years of court decisions, appeals, and reversals followed, and the fight continues. As it currently stands, the courts have ruled that the 37 Java APIs at the center of the lawsuit are copyrightable, and Google is set to argue that its use of those APIs falls under the doctrine of fair use.

Rumors that Google might be replacing its Apache Harmony implementation of the Java libraries in upcoming versions of Android circulated following a Hacker News post in December about a "mysterious Android codebase commit." Google later confirmed its plan with Venture Beat reporter Emil Protalinski.

"As an open-source platform, Android is built upon the collaboration of the open-source community," Google said in a statement. "In our upcoming release of Android, we plan to move Android's Java language libraries to an OpenJDK-based approach, creating a common code base for developers to build apps and services. Google has long worked with and contributed to the OpenJDK community and we look forward to making even more contributions to the OpenJDK project in the future."

Google recently clarified with the publication that this move is a work in progress, and that future versions of Android will continue to contain parts of its own implementation of the Java libraries.

Keep in mind that Apache Harmony was retired as a project in 2011. It was replaced, more or less, by Sun Microsystems with the OpenJDK project.

As Google adapts OpenJDK to Android, it looks as though the company will be effectively replacing the code at issue in Oracle v Google. But does this move actually signal the beginning of the end of hostilities between the two companies?

"Rest assured," Governor added, "there is no love lost between Oracle and Google, but working with direct and indirect competitors is very much how the modern IT industry functions. It's also worth noting that there was a notable softening of anti-Google rhetoric at Oracle OpenWorld this year: Android was mentioned positively."

So, maybe.

Posted by John K. Waters on January 12, 20160 comments

TIOBE Names Java 'Programming Language of 2015'

Whatever else you can say about the past year, 2015 was a good'n for Java. The language turned 20 with much fanfare and well-earned acknowledgement. (Oracle marked the anniversary with a great Web site. Java 8, with its game-changing support for lambda expressions, was adopted at a record-setting pace. And though the release of Java 9 was pushed back, modularization became real.

Now, at the start of 2016, Java gets an extra pat on the back from the industry watchers at TIOBE Software, who named the it "Programming Language of 2015." The reason: The language enjoyed the largest increase in popularity of the 50-plus languages tracked in the TIOBE Index. Java's popularity grew 5.94 percent last year, according to TIOBE, smoking the closest runners up. Visual Basic.NET grew in popularity by 1.51 percent, and Python grew by 1.24 percent.

"At first sight, it might seem surprising that an old language like Java wins this award," the TIOBE researchers wrote. "Especially if you take into consideration that Java won the same award exactly 10 years ago. On second thought, Java is currently No. 1 in the enterprise back-end market and No. 1 in the still growing mobile application development market (Android). Moreover, Java has become a language that integrates modern language features such as lambda expressions and streams. The future looks bright for Java."

TIOBE is a Netherlands-based provider of software quality assessment services based on the ISO 25010 standard. The company ranks the popularity of software languages based on "the number of skilled engineers world-wide, courses, and third-party vendors." The purpose of the Index, the company says, is to provide coders with a kind of contextual yardstick with which to measure their own language skills against current demand.

Altogether, TIOBE ranks 50 programming languages, though it follows many more. The company emphasizes that the Index measures only the popularity of a language, not its actual quality (no "bests") nor the number of lines of code written in it.

TIOBE expects Java to continue to rank among the most popular languages in 2016, along with PHP, JavaScript and Swift. Scala, the functional programming language, could earn a permanent Top 20 spot, the company predicted, and Rust, Clojure, Julia and TypeScript are likely to "move up considerably on the chart." JavaScript earned the top spot last year.

BTW: That Oracle Web site is still worth a visit.

Posted by John K. Waters on January 7, 20160 comments

Governance Model for Open Container Initiative

The Open Container Initiative (OCI) unveiled its technical governance model this week. The nascent coalition of industry leaders and users seeking to establish common standards for software containers is just over six months old, and the establishment of a governance model is a big step in its evolution.

At the core of the OCI model is a Technical Developer Community (TDC) consisting of nine maintainers who have been working on the specification since the coalition was formed. The TDC will be responsible for maintaining the project and handling the releases of both the runtime and the spec. The community is currently made up of both independent developers and employees of founding companies, such as Docker, CoreOS, Google, and Huawei.

The model also includes a Technical Oversight Board, some members of which will be elected by the TDC, and others by the wider OCI membership. That board will work closely with the TDC to ensure cross-project consistencies and workflows. And there's a Trademark Board, which will oversee the development and use of the OCI's trademarks and certifications. A representative from each of the member companies will serve on that board.

"The maintainers are very technical and neutral," said Patrick Chanezon, a member of the technical staff at Docker who has been working on OCI from the beginning. Docker donated a draft specification for the base format and runtime to the OCI, as well as the code associated with a reference implementation of that spec, known as runC. The company donated the entire contents of its libcontainer project and all modifications needed to make it run independently of Docker. libcontainer provides a standard interface for making containers inside an operating system.

The OCI has released two versions of the OCI spec so far (0.1.1 and 0.2), and Chanezon expects several more releases on the road to version 1.0. He was careful to avoid promising a release date. And there have been six releases of runC.

The OCI was formed in the spring of this year and published its charter in July. Its membership roster currently includes, among others, Amazon, Google, IBM, Oracle, Microsoft, Red Hat, EMC, Goldman Sachs, Apcera, Apprenda, AT&T, ClusterHQ, Datera, Dell, Fujitsu Ltd., HP Enterprise, Infoblox, Intel, Joyent, Kismatic, Kyup, Mesophere, Midokura, Nutanix, Pivotal, Polyverse, Portworx, Rancher Labs, Resin.in, Scalock, Sysdig, SUSE, Twitlock, Twitter, Verizon and Weaveworks.

With this announcement, the coalition also published a list of "values," which actually read more like requirement, and which I think are worth including here:

  • Composable: all tools for downloading, installing and running containers should be well integrated, but independent and composable.
  • Portable: the runtime standard should be usable across different hardware, operating systems and cloud environments.
  • Secure: isolation should be pluggable, and the cryptographic primitives for strong trust, image auditing and application identity should be solid.
  • Decentralized: discovery of container images should be simple and facilitate a federated namespace and distributed retrieval.
  • Open: the format and runtime will be well specified and developed by a community to ensure code development leads specification development.
  • Minimalist: The OCI Specifications aim for simplicity, to ensure stability, optimize innovation and encourage experimentation.
  • Backward compatible: OCI Specifications and OCI Projects strive to be as backward compatible as possible with prior releases.
  • A Linux Foundation Collaborative Project, the OCI aims to host an open source, technical community, and build a vendor-neutral, portable, and open specification and runtime for container-based solutions. So there's a big emphasis on openness in its governance model. The OCI's technical roadmap, which was developed by the current members of the TDC, is available on GitHub. And any developer or end user can make contributions to the OCI.

Posted by John K. Waters on December 9, 20150 comments

GitLab Beefs up its Enterprise Edition, Supports Git LFS

GitLab, the company behind the open source code collaboration platform of the same name, has released a new version of one of its Git-based offerings with some additional enterprise muscle, and the company is using the occasion to throw stats at the press like ninja stars in a Kung Fu movie.

GitLab Enterprise Edition (GitLab EE) is an on-premises solution for Git hosted repositories. The newest version, GitLab EE 8.2, comes with a fairly long list of features targeting organizations with more than 100 users. Among the upgrades in this release is the addition of repository mirroring, which allows users to set up a project to automatically have its branches, tags, and commits updated from an upstream repository. GitLab EE is offered on a subscription basis, but the company also provides a free Community Edition, on which GitLab EE is built. GitLab.com is the company's free SaaS offering.

GitLab is also touting new support for Git Large File Storage (LFS) in GitLab.com and both its Enterprise and Community editions. Git LFS is an open source Git extension that replaces large binary files, such as audio, video, and graphics, with text pointers inside the Git repository; the actual file contents are stored on a remote server. GitHub, that other code-hosting site, announced Git LFS in April.

Sytse "Sid" Sijbrandij, the current CEO, believes that GitLab is offering the first open source production implementation of Git LFS.

The company was founded in 2013 by Sijbrandij, who is a Dutch software developer, and Ukrainian developer Dmitriy Zaporozhets, who created the platform. Back in 2011, Zaporozhets was working for a large software consultancy with 200 people who were struggling to collaborate across projects, Sijbrandij told me. The company required that any collaboration software be on-premises, but Zaporozhets couldn't find a solution he liked.

"So, he did what programmers do," Sijbrandij said, "and coded something himself, and then he open sourced it. Within a year, about 800 contributors had been attracted to the GitLab project. We didn't know each other at that time, but I e-mailed him and said that I would like to commercialize what he had developed, and asked if he would be okay with that, and with me not paying him a cent. He said, sure, go for it."

Zaporozhets later tweeted that he wanted to work on GitLab full time, and Sijbrandij went to the Western Union office to wire him some money. "He was in the Ukraine at the time," he recalled, "and the person behind the counter asked me, 'Do you know this person or is it someone you met over the Internet?' She was worried that I was being scammed."

A year later, a company was born. Sijbrandij and Zaporozhets had become friends, but the two co-founders only started working together directly at the beginning of this year.

The startup emerged from the Silicon Valley's Y Combinator accelerator program this summer and promptly raised $1.5 million in seed money. And it announced a $4 million Series A funding from Khosla Ventures in September. The company has grown from 8 employees to 34, and today competes with the much better known GitHub, and with Atlassian's BitBucket.

In October, the company entered into a partnership with SCM provider Perforce Software to create Helix GitSwarm, that company's new Git management platform.

Sijbrandij believes that GitLab is the most used code collaboration platform on premises. The company claims that more than 100,000 organizations are currently using it; that there have been more than 1 million downloads of GitLab to date; and that nearly 30 percent of Fortune 500 companies use the platform. The company currently counts IBM, NASA, Alibaba, CERN, Expedia and SpaceX, among its users.

Since I spoke with Sijbrandij, the company issued a security update, GitLab 8.2.1, and is advising users who installed GitLab 8.2 to upgrade immediately.

A complete list of new features in GitLab 8.2 is available on the company's blog page.

Posted by John K. Waters on December 2, 20150 comments

Another Java 9 Delay Proposed

The Chief Architect of Oracle's Java Platform Group, Mark Reihold, is asking for a six-month extension of the Java 9 release schedule. The reason: Jigsaw, of course.

Despite the "good progress" made over the past 18 months on the project that will modularize Java, Reinhold said in a post on the OpenJDK mailing list, doing it right will take just a little bit longer.

The current Feature Complete release date for Java 9 is just around the corner, and yet the JSR 376 Expert Group has yet to publish an Early Draft Review specification, Reinhold pointed out. He also expressed concern about "the volume of interest and the high quality of the feedback received over the last two months," which he said "suggests that there will be much more to come."

"[We] want want to ensure that the maintainers of the essential build tools and IDEs have adequate time to design and implement good support for modular development," he said.

Reinhold wants the extra time, but he doesn't want the extension to generate a flood of new features unrelated to Jigsaw or expand the scope of the existing features "without bound."

"It would be best to use the additional time to stabilize, polish, and fine-tune the features that we already have, rather than add a bunch of new ones," he wrote. "The later [Feature Complete] milestone does apply to all features, however, so reasonable proposals to target additional JEPs to JDK 9 will be considered, so long as they do not add undue risk to the overall release."

If the community accepts Reihold's suggestion, the release of the Feature Complete milestone, originally scheduled for Dec. 10, will be pushed back to May 25, 2016, and the rest of the milestone schedule will be adjusted accordingly. If I've got this right (6 months + 15 days), the new JDK 9 schedule could look something like this:

2016-05-25   Feature Complete
2016-07-19   All Tests Run
2016-08-09   Rampdown Start
2016-10-25   Zero Bug Bounce
2016-12-01   Rampdown Phase 2
2017-01-05   Final Release Candidate
2017-03-09   General Availability

The long awaited, much delayed modularization of the Java SE Platform and the JDK is the biggest change to come to Java probably ever; certainly since the support of lambdas in Java SE 8. Brian Goetz, Oracle's rockstar Java Language Architect, has said that support for lambdas in Java 8 would "change the way we program in Java every day." But JSR 376, the Java Specification Request that aims to define "an approachable yet scalable module system for the Java Platform" will bring a fundamentally new kind of programming component to Java. I've talked with industry analysts who wonder if modularizing Java will effectively turn it into a new language.

Another delay is going to frustrate some people -- maybe a lot of people -- but considering the scope of changes coming in Java 9, another six months is probably not too much to ask.

Comments on Reinhold's request from JDK 9 Committers are welcome, he said, as are "reasoned objections." If no one objects (or objections are answered) by 18:00 UTC on Dec. 8, the schedule change will be adopted.

Posted by John K. Waters on December 1, 20150 comments

Spring Social Vulnerability Fixed by a Newcomer

While I was talking with people last week about the recently published proof-of-concept exploits that threw a new spotlight on a well-known vulnerability in the Apache Commons Java repository, I had the opportunity to chat with Mark Thomas, a member of the Apache Software Foundation security team and long-time Apache Tomcat committer.

In his day job, Thomas leads the Pivotal security team, so we also talked about a recent vulnerability in the Spring Social core library that was brought to his company's attention by a new kid on the security block, SourceClear, which just emerged from stealth mode.

Developed by Pivotal, Spring Social is a popular extension of the Spring Framework that allows Java developers to connect their applications with Software-as-a-Service (SaaS) API providers, such as Facebook, Twitter, LinkedIn and GitHub. The vulnerability allowed attackers to bypass Spring Social's authentication controls to hijack user accounts.

The vulnerability (CVE-2015-5258) was originally identified by Kris Bosch from Include Security. Software engineer and SourceClear co-founder Paul Ambrosini identified the root cause, vulnerable library, and vulnerable code. Ambrosini explains the issue in a nicely detailed blog post on the SourceClear site. He explains how to fix the problem by updating the library, and also offers a workaround.

"It boiled down to a cross-site forgery issue," Thomas said. "Because the Spring code is open source, SourceClear were able to dive down into it. And they pointed right at where the problem was, which made our job that much easier."

Pivotal fixed the Spring Social issue quickly and coordinated an announcement with SourceClear. A new version of the Spring Social core is available now on Maven Central. The code change can be viewed on GitHub.

San Francisco-based SourceClear provides a solution for securing open source code -- both custom and inherited -- but with a focus on developers and the workflows in which they live today. I'd argue that the company has taken up the build-security-in baton from app security gurus like Gary McGraw and Sammy Migues (creators of the BSIMM) and applied it to the challenges of modern software development.

"The way we build software today is fundamentally different from the way we used to build it," SourceClear's founder and CEO, Mark Curphey, told me. "We used to build it all ourselves, but today we rely on frameworks and libraries. And that change has not been lost on the bad guys. Reusable code, unfortunately, means reusable vulnerabilities."

"The economics of hacking has fundamentally changed," Curphey added. "It's no longer about finding loads of places where you can attack, but finding places where people are pulling in vulnerable software."

Software is being built so fast these days that open-source code is getting pulled into the builds "like a swarm," Curphey said. His company's namesake solution plugs directly into a source code management system, continuous integration server, or build automation tool. Every time a developer checks in code or a build is run, it identifies the open source code and reports to the customer which pieces have vulnerabilities, where they came from, and what they could do inside their codebase. The product supports Java, Ruby on Rails and Node.js today, with plans to support Python and C/C++ in the future.

"The industry historically has built security tools for security people," Curphey said. "Those tools were designed for the way we used to build software. We're building security tools for developers and the way they build software today."

A trial version of the SourceClear solution is available for download from the company's Web site.

Posted by John K. Waters on November 16, 20150 comments