Secure Software Development

Adventures in JavaScript: Getting Started

2013-05-13

Node.js One of the high potentials for a Frictionless Development Environment (FDE) is Cloud9.

It is one of a growing number of web applications that uses JavaScript as the programming language for both front-end and back-end. The latter brought to you by Node.js.

So I thought it was time to start playing around with JavaScript and Node. Here is an account of my very first adventure into this Brave New World.

Preparations: Adding JavaScript Support to Eclipse

To keep the number of changes low, I wanted to keep my trusted old Eclipse. So the first step was to install Nodeclipse and jshint-eclipse.

To support documentation in the Markdown format that Node uses, I installed the Markdown Editor plugin for Eclipse.

This left me with nothing for unit tests. So I installed the JavaScript tools from Eclipse. That gave me some JS support, but nothing for creating unit tests.

Some googling told me there is such a thing as JsUnit, the JS port of my beloved JUnit. Unfortunately it doesn’t seem to come with Eclipse support, even though this thread indicates it does (or did).

Maybe I’m just doing it wrong. I’d appreciate any hints in the comments.

Some more googling informed me that Orion is using JsTestDriver.

This introduction to JsTestDriver explains in detail how it works.

First Exercise: Roman Numerals

Now that I’m all set up, it’s time to do a little exercise to get my feet wet. For this I picked the Roman Numerals kata.

I started out by following this JsTestDriver example. I created a new JavaScript project in Eclipse, added src/main/js and src/test/js folders, and created the JsTestDriver configuration file:

server: http://localhost:9876

load:
  - src/main/js/*.js
  - src/test/js/*.js

Next, I opened the JsTestDriver window using Window|Show View|Other|JavaScript|JsTestDriver and started the JsTestDriver server. I then opened the client in FireFox at http://127.0.0.1:42442/capture.

The next step was to create a new run configuration: Run|Run Configurations|JsTestDriver Test. I selected the project and the JsTestDriver configuration within the project, and checked Run on Every Save.

Now everything is set up to start the TDD cycle. First a test:

RomanNumeralsTest = TestCase("RomanNumeralsTest");

RomanNumeralsTest.prototype.testArabicToRoman
    = function() {
  var romanNumerals = new TestApp.RomanNumerals();
  
  assertEquals("i", romanNumerals.arabicToRoman(1));
};

And then the implementation:

TestApp = { };

TestApp.RomanNumerals = function() { };


TestApp.RomanNumerals.prototype.arabicToRoman
    = function (arabic) {
  return null;
};

I completed the rest of the kata as usual.

Reflections

The cool thing about JsTestDriver is that it automatically runs all the tests every time you change something. This shortens the feedback cycle and keeps you in the flow. For Java, InfiniTest does the same.

The problem with my current tool chain is that support for renaming is extremely limited. I got Operation unavailable on the current selection. Select a JavaScript project, source folder, resource, or a JavaScript file, or a non-readonly type, var, function, parameter, local variable, or type variable.

Other refactorings do exist, like Extract Local Variable and Extract Method, but they mess up the formatting. They also give errors, but then work when trying again.

All in all I feel satisfied with the first steps I’ve taken on this journey. I’m a little worried about the stability of the tools. I also realize I have a more to learn about JavaScript prototypes.

Leave a Comment » | Software Development | Tagged: refactoring, TDD, JavaScript, Roman numerals, kata, FDE, Cloud9, Orion, node.js, Nodeclipse, jshint-eclipse, Markdown, JsUnit, JsTestDriver, InfiniTest | Permalink
Posted by Ray Sinnema

Is XACML Dead?

2013-05-08

rip XACML is dead. Or so writes Forrester’s Andras Cser.

Before I take a critical look at the reasons underlying this claim, let me disclose that I’m a member of the OASIS committee that defines the XACML specification. So I may be a little biased.

Lack of broad adoption

The first reason for claiming XACML dead is the lack of adoption. Being a techie, I don’t see a lot of customers, so I have to assume Forrester knows better than me.

At last year’s XACML Seminar in the Netherlands, there were indeed not many people who actually used XACML, but the room was filled with people who were at least interested enough to pay to hear about practical experiences with XACML.

I also know that XACML is in use at large enterprises like Bank of America, Bell Helicopter, and Boeing, to name just some Bs. And the supplier side is certainly not the problem.

So there is some adoption, buI grant that it’s not broad.

Inability to serve the federated, extended enterprise

XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD.

I don’t understand this statement at all, as there is nothing in the XACML spec that depends on centrally managed users.

Especially in combination with SAML, XACML can handle federated scenarios perfectly fine.

In my current project, we’re using XACML in a multi-tenant environment where each tenant uses their own identity provider. No problem.

PDP does a lot of complex things that it does not inform the PEP about

The PDP is apparently supposed to tell the PEP why access is denied. I don’t get that: I’ve never seen an application that greyed out a button and included the text “You need the admin role to perform this operation”.

Maybe this is about testing access control policies. Or maybe I just don’t understand the problem. I’d love to learn more about this.

Not suitable for cloud and distributed deployment

I guess what they mean is that fine-grained access control doesn’t work well in high latency environments. If so, sure.

XACML doesn’t prescribe how fine-grained your policies have to be, however, so I can’t see how this could be XACML’s fault. That’s like blaming my keyboard for allowing me to type more characters than fit in a tweet.

Actually, I’d say that XACML works very well in the cloud. And with the recently approved REST profile and the upcoming JSON profile, XACML will be even better suited for cloud solutions.

Commercial support is non-existent

This is lack of adoption again.

BTW, absolute claims like “there is no software library with PEP support” turn you into an easy target. All it takes is one counter example to prove you wrong.

Refactoring and rebuilding existing in-house applications is not an option

This, I think, is the main reason for slow adoption: legacy applications create inertia. We see the same thing with SSO. Even today, there are EMC internal applications that require me to maintain separate credentials.

The problem is worse for authorization. Authentication is a one-time thing at the start of a session, but authorization happens all the time. There are simply more places in an application that require modification.

There may be some light at the end of the tunnel, however.

History shows that inertia can be overcome by a large enough force.

That force might be the changing threat landscape. We’ll see.

OAuth supports the mobile application endpoint in a lightweight manner

OAuth does well in the mobile space. One reason is that mobile apps usually provide focused functionality that doesn’t require fine-grained access control decisions. It remains to be seen whether that continues to be true as mobile apps get more advanced.

Of course, if all your access control needs can be implemented with one yes/no question, then using XACML is overkill. That doesn’t, however, mean there is no place for XACML is the many, many places where life is not that simple.

What do you think?

All in all, I’m certainly not convinced by Forrester’s claim that XACML is dead. Are you? If XACML were buried, what would you use instead?

Update: Others have joined in the discussion and confirmed that XACML is not dead:

Gary from XACML vendor Axiomatics
Danny from XACML vendor Dell
Anil from open source XACML implementation JBoss PicketBox
Ian from analyst Gartner

Update 2: More people joined the discussion. One is confused, one is confusing, and Forrester’s Eva Mahler (of SGML and UMA fame) backs her colleague.

Update 3: Another analyst joins the discussion: KuppingerCole doesn’t think XACML is dead either.

2 Comments | Information Security, XACML | Tagged: cloud computing, fine grained access control, Forrester, JSON, OASIS, OAuth, OpenAz, RAdAC, REST, SAML, XACML | Permalink
Posted by Ray Sinnema

Bridging the Client-Server Divide

2013-05-06

Most software these days is delivered in the form of web applications, and the move towards cloud computing will only emphasize this trend.

Web apps consist of client and server parts, where the client part has been getting bigger lately to deliver a richer user experience.

This split has implications for developers, because the technologies used on the client and server parts are often different.

The client is ruled by HTML, CSS, and JavaScript, while the server is most often developed using JVM or .NET based languages like Java and C#.

Disadvantages of Different Client and Server Technologies

Developers of web applications risk becoming either specialists confined to a single part of the stack or polyglot programmers.

Polyglot programming is the practice of knowing and using many programming languages. There are both advantages and disadvantages associated with polyglot programming. I believe the overriding disadvantage is the context switching involved, which degrades productivity and opens the doors to extra bugs.

Being a specialist has advantages and disadvantages as well. A big disadvantage I see is the “us versus them”, or “not my problem” culture that can arise. In general, Agile teams prefer generalists.

Bringing Server Technologies to the Client

Many attempts have been made at bridging the gap between client and server. Most of these attempts were about bringing server-side technologies to the client.

Java on the client has failed to reached widespread adoption, and now that many people advice to disable Java applets altogether because of security reasons it seems increasingly unlikely that it ever will.

Bringing .NET to the client has likewise failed as Silverlight adoption continues to drop.

Another idea is to translate from server to client technologies. Many languages can now be compiled to JavaScript. The most mature effort is Google Web Toolkit (GWT), which translates from Java. The main problem with GWT is that it supports only a small subset of Java.

All in all I don’t feel there currently is a satisfactory way of using server technologies on the client.

Bringing Client Technologies to the Server

So what about the reverse? There is really only one client-side technology worth looking at today: JavaScript. The only other rival, Flash, is losing out quickly due to lack of support from Apple and the rise of HTML5.

JavaScript on the server is starting to make inroads, thanks to the Node.js platform.

It is used by the Cloud9 IDE, for example, and supported by Platform-as-a-Service providers like CloudFoundry and Heroku.

What do you think?

If I had to put my money on any unification approach, it would be Node.js.

Do you agree? What needs to happen to make this a common way of developing web apps? Please let me know your thoughts in the comments.

1 Comment | Cloud Computing, Software Development | Tagged: .NET, Agile, Apple, applet, C#, cloud computing, Cloud9, CloudFoundry, CSS, Flash, GWT, Heroku, HTML, HTML5, Java, JavaScript, JVM, node.js, polyglot programming, security, Silverlight, webapp | Permalink
Posted by Ray Sinnema

Data Classification In the Cloud

2013-04-01

Whenever a bug report comes in, I subconsciously classify it according to how it impacts the customer’s ability to derive value from the product.

Many software development companies have policies that formalize such classifications, e.g. into critical, high, medium, and low priority.

One can take that very far, like the Common Weakness Scoring System (CWSS) for classifying security vulnerabilities.

Data classification

Classifications are useful, because they compress a vast set of possibilities into a small set of categories. This makes it easier to decide what to do.

Classification applied to data stored in computer systems is called data classification. There are different reasons for classifying data.

One is to determine appropriate access control policies. It is wasteful to protect all your information at the highest level, so you want to divide up your data into a small number of buckets and take measures that are appropriate for each bucket.

Another important use case of data classification is to drive compliance efforts. If you process health care data, for instance, you may have to comply with the Health Insurance Portability and Accountability Act (HIPAA). This data requires different controls to be put in place than credit card data that is covered by PCI DSS.

Data in the Cloud

Things get more interesting in the cloud.

As a cloud user, you are still subject to the same laws and regulations as before, but now you’ve given away part of the control to your cloud provider. This means you have to make sure that they implement the required controls.

If the regulations you must comply with come with assessments, then those must extend to the cloud provider. Many cloud providers will not allow you to come in and do such assessments yourself, but they may allow assessments from third parties, like TRUSTe for a Safe Harbor assessment.

As a cloud provider, you will want to implement as many controls as possible, to support the maximum number of laws and regulations that your customers must comply with.

Both parties benefit from clear contracts. Part of such a contract may be a Data Protection Agreement that lists the duties of both parties in classifying and properly protecting data to meet security requirements and regulations.

If you’re unsure how to do all of this right, then you may want to look for guidance from the Cloud Security Alliance (CSA).

Leave a Comment » | Cloud Computing, Cloud Security, Software Development | Tagged: assessment, authorization, cloud computing, cloud contract, compiance, CSA, CWSS, data, data classification, Data Protection Agreement, HIPAA, PCI DSS, Safe Harbor, TRUSTe | Permalink
Posted by Ray Sinnema

Likely Candidates for Frictionless Development Environments

2013-03-25

Last time I reviewed the book on Consumption Economics, which explains how technology companies and their products will have to change to survive the brave new world that we’re entering.

So what would we find if we take the lessons from the book and apply them to our own software development environment? I think the answer would be surprisingly close to what I’ve called a Frictionless Development Environment (FDE) before.

To be honest, I’ve only started thinking more systematically about FDEs after reading Consumption Economics. In Five Essential Components of a Frictionless Development Environment, I’ve laid out the major building blocks of an FDE: cloud computing, big data analytics, recommendation engines, plug-in architecture, and open source.

It may be to soon to expect existing solutions to have all of those, but let’s see where we stand. There are already some cloud development environments. Most of these are geared towards web developers, and offer limited languages (mostly JavaScript). Some offer a big enough range to be interesting to a wide range of developers.

Big data analytics and recommendation engines are big features that are probably not there yet, but could always be added later. What’s more important is to look for a plug-in architecture and particularly for open source. These are fundamental architectural and business decisions.

Using open source as a criterion reduces our list to Cloud9 and Orion. Both have a plug-in architecture. The latter is an Eclipse project, but the former seems more mature. Be sure to follow both Cloud9 and Orion.

So what do you think? Would any of these cloud IDEs work for you? What other open source cloud IDEs are out there?

Leave a Comment » | Cloud Computing, Software Development | Tagged: Big Data, cloud computing, Cloud9, Eclipse, FDE, Orion, plug-in | Permalink
Posted by Ray Sinnema

Book review: Consumption Economics

2013-03-18

Consumption Economics, The New Rules of Tech, paints a detailed picture of the future of the technology business, combining vision with practical steps to realize it.

Chapter 1, How Good We Had It, observes that purchased tech products are traditionally paid for up front, while usage starts (much) later, which means the risk is on the buyer to derive value from the purchase.

Since vendors add features to their products faster than customers can consume them, we have a Consumption Gap: the difference between the potential value of a product and the value that is actually realized.

Customers are changing their attitude towards the Consumption Gap and its risk. The economic downturn encourages businesses to cut costs, cloud computing shifts the buying model from CapEx to OpEx, and the iPhone’s App Store has brought choice to computing.

Chapter 2, Shifting Clouds and Changing Rules, explains that the risk of monetizing the investment in tech products will shift to vendors, who will have to survive off micro-transactions (MTs). The cloud will bring prices down to the point of retail-like price wars. Vertical market focus and business process expertise will become the new high-value service capabilities.

Influence will shift from IT departments to end users, who are the ones making the MTs. Tech companies are not used to deal with them, but real-time usage data will change that and lead to the discovery of best-practice utilization patterns.

Chapter 3, Looking Over the Margin Wall, explains that tech is not immune to commoditization. Price competition will kick in and margins will decrease. When we hit this Margin Wall, the only viable strategy is to start over with a new product. The cloud’s low switching costs are decreasing the runway to commoditization.

Things look differently on the other side of the Margin Wall. Revenue is based on MTs, so no usage means no money. The Consumption Gap is now the provider’s problem: they need to make sure their product’s advanced features get used. They must build sophisticated Consumption Models.

Chapter 4, Learning to Love Micro-Transactions, argues that in an OpEx model, volume matters and vendor must learn how to drive MTs. This means more features per user, more apps per user, and more users per month. Even on-premise solutions will move to OpEx models.

We’ll need automated ways to sell electronically in the context of the user’s workflow. We can learn a lot from games, where users get constant feedback, are recognized with rewards and status, and are part of a community in which to share and compete.

Customers must learn this new model as well. Their costs will become less predictable, and purchasing power will trickle down to end users. The role of the IT department will change with new policies like Bring Your Own Device (BYOD).

Chapter 5, The Data Piling Up in the Corner, argues for aggregating and analyzing usage data to build Consumption Models that drive usage. Cloud computing enables that, since all user interactions are recorded on the server.

We need to identify Consumption Roadmaps, best practices for consuming value from our products, and we need our product to guide the end user according to priorities set by the customer.

This requires an e-commerce layer in our products and our organization. Service and field staff will be armed with detailed usage data to better help customers.

Chapter 6, Consumption Development: The Art and Science of Intelligent Listening, explains that with deployment in the cloud, we no longer need to get every thing right from the start, but we can also no longer sit back after a release. We need to actively drive usage based on usage statistics.

Intelligent Listening predicts new wanted features from usage data and monitoring of social media. Consumption Innovation executes on this learning through capabilities to simplify usage and guide users along predetermined paths. In-Product Up-sell bakes in recommendation engines and offer-management capabilities to present users with new features they are likely to want.

Implementing these changes cost money. To fund them, get rid of products that don’t generate profit, as they take up development time and effort.

Chapter 7, Consumption Marketing: Micro-Marketing and Micro-Buzz, describes how the shift to decision making by end users and the data we have about their behavior will change marketing.

Usage data must be combined with information from services, development, and road maps to form Best Consumption Practices.

Marketing must segment users, identify high value capabilities per segment, figure out what sequence of adoption worked to get there, how to guide others along the same paths, and when and where to trigger offers. Offers need to bring real value to the users to drive trust.

Chapter 8, Consumption Sales: After a Great Run, the Classic Model Gets an Overhaul, posits that the old sales model that was based on standardization breaks down with increased complexity of the product and individuality of its users. Instead we need consulting skills and service-oriented compensation models and salespeople with business expertise.

The new sales steps are: win the platform sale, sell the pay-per-use model, and expand the platform agreement by arming the sales force with consumption research.

Chapter 9, Consumption Services: Will They Someday Own “The Number”?, describes how most current revenue from services is in activities like installation, implementation, integration, and maintenance, and how those will largely go away in the cloud.

The customer service and support team is our best bet for driving MTs, because of their cost structure and remotely operated tools. Their role will have to change from minimizing cost to maximizing customer value by adding new inside sales capabilities.

The Account Services Organization (ASO) will closely tie support with professional services and customer engagement. Expertise will shift away from the technical and towards the business to better help the customer gain value from the system. The ASO will need to learn how to sell MTs and build the Consumption Road-map.

Chapter 10, Customer Demand vs. Capital Markets: How Fast Should You Transform?, talks about the balancing act between transforming ourselves and meeting Wall Street’s short-term expectations. Timing is crucial, as we need some runway to fly over the Margin Wall.

The chapter describes some ways to “buy runway” to get you through the transformation period.

Chapter 11, The “S” Stands for Services, argues that the future of technology is in services and that the cloud is all about services.

1 Comment | Books, Blogs, etc., Cloud Computing, Software Development | Tagged: Account Services Organization, CapEx, cloud computing, commoditization, Consumption Gap, micro-transaction, OpEx, recommendation engine, service, transformation, usage data | Permalink
Posted by Ray Sinnema

How To Remove Friction From Your Version Control Experience

2013-02-18

Error Last week, I spend several days fixing a bug that only surfaced in a distributed environment.

I felt pressure to fix it quickly, because our continuous integration build was red, and we treat that as a “stop the line” event.

Then I came across a post from Tomasz Nurkiewicz who claims that breaking the build is not a crime.

Tomasz argues that a better way to organize software development is to make sure that breaking changes don’t affect your team mates. I agree.

Broken Builds Create Friction

Breaking changes from your co-workers are a form of friction, since they take away time and focus from your job. Tomasz’ setup has less friction than ours.

But I feel we can do better still. In a perfect Frictionless Development Environment (FDE), all friction is removed. So what would that look like with regard to version control?

With current version control systems, there is lots of friction. I complained about Perforce before because of that.

Git is much better, but even then there are steps that have to be performed that take away focus from the real goal you’re trying to achieve: solving the customer’s problem using software.

For instance, you still have to create a new topic branch to work on. And you have to merge it with the main development line. In a perfect world, we wouldn’t have to do that.

Frictionless Version Control

So how would a Frictionless Development Environment do version control for us?

Knowing when to create a branch is easy.

All work happens on a topic branch, so every time you start to work on something, the FDE could create a new branch.

The problem is knowing when to merge. But even this is not as hard as it seems.

You’re done with your current work item (user story or whatever you want to call it) when it’s coded, all the tests pass, and the code is clean.

So how would the FDE know when you’re done thinking of new tests for the story?

Well, if you practice Behavior-Driven Development (BDD), you start out with defining the behavior of the story in automated tests. So the story is functionally complete when there is a BDD test for it, and all scenarios in that test pass.

Now we’re left with figuring out when the code is clean. Most teams have a process for deciding this too. For instance, code is clean when static code analysis tools like PMD, CheckStyle, and FindBugs give no warnings.

Some people will argue that we need a minimum amount of code coverage from our tests as well. Or that the code needs to be reviewed by a co-worker. Or that Fortify must not find security vulnerabilities. That’s fine.

The basic point is that we can formally define a pipeline of processes that we want to run automatically.

At each stage of the pipeline can we reject the work. Only when all stages complete successfully, are we done.

And then the FDE can simply merge the branch with the main line, and delete it. Zero friction from version control.

What do you think?

Would you like to lubricate your version control experience? Do you think an automated branching strategy as outlined above would work?

Leave a Comment » | Software Development | Tagged: andon, BDD, branch, CheckStyle, clean code, continuous integration, FDE, FindBugs, Foritify, friction, Git, merge, Perforce, PMD, process pipeline, SCM, security, static code analysis, topic branch, user story | Permalink
Posted by Ray Sinnema

Secure Software Development

Adventures in JavaScript: Getting Started

Preparations: Adding JavaScript Support to Eclipse

First Exercise: Roman Numerals

Reflections

How To Remove Friction From Your Version Control Experience

Broken Builds Create Friction

Frictionless Version Control

What do you think?

Recent Posts

Archives

Categories

Tags

Twitter

Follow “Secure Software Development”